bump version to 7.2.10-1

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

.gitignore

@@ -0,0 +1,7 @@
+/*.build
+/*.buildinfo
+/*.changes
+/*.deb
+/*.dsc
+/*.tar*
+/pve-qemu-kvm-*.*/

Makefile

@@ -1,33 +1,54 @@
-include /usr/share/dpkg/pkg-info.mk
-include /usr/share/dpkg/architecture.mk
+include /usr/share/dpkg/default.mk
 
 PACKAGE = pve-qemu-kvm
 
 SRCDIR := qemu
-BUILDDIR ?= ${PACKAGE}-${DEB_VERSION_UPSTREAM}
+BUILDDIR ?= $(PACKAGE)-$(DEB_VERSION_UPSTREAM)
+ORIG_SRC_TAR=$(PACKAGE)_$(DEB_VERSION_UPSTREAM).orig.tar.gz
 
 GITVERSION := $(shell git rev-parse HEAD)
 
-DEB = ${PACKAGE}_${DEB_VERSION_UPSTREAM_REVISION}_${DEB_BUILD_ARCH}.deb
-DEB_DBG = ${PACKAGE}-dbg_${DEB_VERSION_UPSTREAM_REVISION}_${DEB_BUILD_ARCH}.deb
+DSC=$(PACKAGE)_$(DEB_VERSION_UPSTREAM_REVISION).dsc
+DEB = $(PACKAGE)_$(DEB_VERSION_UPSTREAM_REVISION)_$(DEB_BUILD_ARCH).deb
+DEB_DBG = $(PACKAGE)-dbg_$(DEB_VERSION_UPSTREAM_REVISION)_$(DEB_BUILD_ARCH).deb
 DEBS = $(DEB) $(DEB_DBG)
 
 all: $(DEBS)
 
 .PHONY: submodule
 submodule:
-	test -f "${SRCDIR}/configure" || git submodule update --init --recursive
+	test -f "$(SRCDIR)/configure" || git submodule update --init --recursive
+
+PC_BIOS_FW_PURGE_LIST_IN = \
+	hppa-firmware.img \
+	openbios-ppc \
+	openbios-sparc32 \
+	openbios-sparc64 \
+	palcode-clipper \
+	s390-ccw.img \
+	s390-netboot.img \
+	u-boot.e500 \
+	.*\.dtb \
+	qemu_vga.ndrv \
+	slof.bin \
+	opensbi-riscv.*-generic-fw_dynamic.bin \
+
+BLOB_PURGE_SED_CMDS = $(foreach FILE,$(PC_BIOS_FW_PURGE_LIST_IN),-e "/$(FILE)/d")
+BLOB_PURGE_FILTER = $(foreach FILE,$(PC_BIOS_FW_PURGE_LIST_IN),-e "$(FILE)")
 
 $(BUILDDIR): keycodemapdb | submodule
 	# check if qemu/ was used for a build
 	# if so, please run 'make distclean' in the submodule and try again
 	test ! -f $(SRCDIR)/build/config.status
-	rm -rf $(BUILDDIR)
-	cp -a $(SRCDIR) $(BUILDDIR)
-	cp -a debian $(BUILDDIR)/debian
-	rm -rf $(BUILDDIR)/ui/keycodemapdb
-	cp -a keycodemapdb $(BUILDDIR)/ui/
-	echo "git clone git://git.proxmox.com/git/pve-qemu.git\\ngit checkout $(GITVERSION)" > $(BUILDDIR)/debian/SOURCE
+	rm -rf $@.tmp $@
+	cp -a $(SRCDIR) $@.tmp
+	cp -a debian $@.tmp/debian
+	rm -rf $@.tmp/ui/keycodemapdb
+	cp -a keycodemapdb $@.tmp/ui/
+	find $@.tmp/pc-bios -type f | grep $(BLOB_PURGE_FILTER) | xargs rm -f
+	sed -i $(BLOB_PURGE_SED_CMDS) $@.tmp/pc-bios/meson.build
+	echo "git clone git://git.proxmox.com/git/pve-qemu.git\\ngit checkout $(GITVERSION)" > $@.tmp/debian/SOURCE
+	mv $@.tmp $@
 
 .PHONY: deb kvm
 deb kvm: $(DEBS)
@@ -36,6 +57,21 @@ $(DEB): $(BUILDDIR)
 	cd $(BUILDDIR); dpkg-buildpackage -b -us -uc -j
 	lintian $(DEBS)
 
+sbuild: $(DSC)
+	sbuild $(DSC)
+
+$(ORIG_SRC_TAR): $(BUILDDIR)
+	tar czf $(ORIG_SRC_TAR) --exclude="$(BUILDDIR)/debian" $(BUILDDIR)
+
+.PHONY: dsc
+dsc:
+	rm -rf *.dsc $(BUILDDIR)
+	$(MAKE) $(DSC)
+	lintian $(DSC)
+
+$(DSC): $(ORIG_SRC_TAR) $(BUILDDIR)
+	cd $(BUILDDIR); dpkg-buildpackage -S -us -uc -d
+
 .PHONY: update
 update:
 	cd $(SRCDIR) && git submodule deinit ui/keycodemapdb || true
@@ -48,13 +84,14 @@ update:
 	git add keycodemapdb
 
 .PHONY: upload
+upload: UPLOAD_DIST ?= $(DEB_DISTRIBUTION)
 upload: $(DEBS)
-	tar cf - ${DEBS} | ssh repoman@repo.proxmox.com upload --product pve --dist bullseye
+	tar cf - $(DEBS) | ssh repoman@repo.proxmox.com upload --product pve --dist $(UPLOAD_DIST)
 
 .PHONY: distclean clean
 distclean: clean
 clean:
-	rm -rf $(BUILDDIR) $(PACKAGE)*.deb *.buildinfo *.changes
+	rm -rf $(PACKAGE)-[0-9]*/ $(PACKAGE)*.tar* *.deb *.dsc *.build *.buildinfo *.changes
 
 .PHONY: dinstall
 dinstall: $(DEBS)

debian/changelog

@@ -1,3 +1,160 @@
+pve-qemu-kvm (7.2.10-1) bullseye; urgency=medium
+
+  * update patches and submodule to QEMU stable 7.2.10
+
+  * pick up some extra fixes from upcoming 7.2.11 to, e.g., avoid releasing a
+    regression for i386 that happened in the 7.2.10 stable release.
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 10 Apr 2024 15:47:27 +0200
+
+pve-qemu-kvm (7.2.0-8) bullseye; urgency=medium
+
+  * backport fix for ACPI CPU hotplug issue with TCG
+
+  * cherry-pick TCG-related stable fixes for 7.2 for users that turned off KVM
+    HW acceleration
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 17 Mar 2023 15:47:08 +0100
+
+pve-qemu-kvm (7.2.0-7) bullseye; urgency=medium
+
+  * improve fix for potential deadlock with trim for IDE/SATA and draining
+
+  * backport stable fixes:
+    - hw/nvme: fix missing endian conversions for doorbell buffers
+    - hw/smbios: fix field corruption in type 4 table
+    - virtio-rng-pci: fix transitional migration compat for vectors
+    - hw/timer/hpet: Fix expiration time overflow
+    - vhost/vdpa: stop all svq on device deletion
+    - vhost: avoid a potential use of an uninitialized variable in the call to
+      vhost_svq_poll
+    - chardev/char-socket: set s->listener = NULL in char_socket_finalize to
+      fix a potential crash after live-migration
+    - intel-iommu: fail MAP notifier without caching mode
+    - intel-iommu: fail DEVIOTLB_UNMAP without dt mode
+
+  * fix a regression for when the LSI SCSI controller is used
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 13 Mar 2023 17:42:49 +0100
+
+pve-qemu-kvm (7.2.0-6) bullseye; urgency=medium
+
+  * fix 7.2 regression for Linux boot failures with megasas SCSI
+
+  * fix 7.0 regression for a potential deadlock with trim for IDE/SATA and
+    draining
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 08 Mar 2023 14:32:17 +0100
+
+pve-qemu-kvm (7.2.0-5) bullseye; urgency=medium
+
+  * fix #4476: savevm-async: avoid looping without progress
+
+  * savevm-async: decrease the boundary for free space for (memory) state left
+    on target from 30 MiB to 100 MiB, improving the heuristic for when to
+    enter the final "pause and sync" stage.
+
+  * QMP backup: use correct error number when getting blockdrive length fails
+
+  * backport fix for some DMA reentrancy issues, better protecting against
+    malicious guests
+
+  * backport fix for iSCSI double free issue leading to crashes
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 21 Feb 2023 13:49:43 +0100
+
+pve-qemu-kvm (7.2.0-4) bullseye; urgency=medium
+
+  * backport fix for a 7.2 regression when using VirtIO disk with
+    detect-zeroes=unmap
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 27 Jan 2023 09:37:49 +0100
+
+pve-qemu-kvm (7.2.0-3) bullseye; urgency=medium
+
+  * add fix for live-migration with virtio-rng devices, which regressed in
+    QEMU 7.2.0.
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 12 Jan 2023 13:13:14 +0100
+
+pve-qemu-kvm (7.2.0-2) bullseye; urgency=medium
+
+  * enable slirp again for now, as in qemu-server, user networking is
+    supported (via CLI/API) when no bridge is set on a virtual NIC
+
+  * cherry-pick stable fixes for 7.2. Two for virtio-mem and one for vIOMMU.
+    Both features are not yet exposed in PVE's qemu-server, but there's work
+    going on to change that.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 10 Jan 2023 15:47:48 +0100
+
+pve-qemu-kvm (7.2.0-1) bullseye; urgency=medium
+
+  * update to QEMU stable release 7.2.0
+
+  * drop 'slirp' networking
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 16 Dec 2022 13:18:21 +0100
+
+pve-qemu-kvm (7.1.0-4) bullseye; urgency=medium
+
+  * cherry-pick "block/block-backend: blk_set_enable_write_cache is IO_CODE"
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 22 Nov 2022 09:21:06 +0100
+
+pve-qemu-kvm (7.1.0-3) bullseye; urgency=medium
+
+  * init: daemonize: defuse PID file resolve error to a warning at max, fixing
+    some usecases that regressed with 7.1, like tracking start up in our
+    file-restore VM.
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 28 Oct 2022 10:27:49 +0200
+
+pve-qemu-kvm (7.1.0-2) bullseye; urgency=medium
+
+  * fix an issue with error handling in async backup code
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 18 Oct 2022 15:33:44 +0200
+
+pve-qemu-kvm (7.1.0-1) bullseye; urgency=medium
+
+  * update to QEMU stable release 7.1.0
+
+  * add fix for io_uring_register_ring_fd from upstream
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 14 Oct 2022 14:54:09 +0200
+
+pve-qemu-kvm (7.0.0-4) bullseye; urgency=medium
+
+  * add revision to version output
+
+  * PVE Backup: allow passing max-workers performance setting
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 10 Oct 2022 11:55:37 +0200
+
+pve-qemu-kvm (7.0.0-3) bullseye; urgency=medium
+
+  * savevm-async: avoid segfault when aborting snapshot creation task
+
+  * savevm-async: set SAVE_STATE_DONE when closing state file was successful
+    allowing one to start a new snapshot task after aborting one.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 30 Aug 2022 12:54:03 +0200
+
+pve-qemu-kvm (7.0.0-2) bullseye; urgency=medium
+
+  * backport "io_uring: fix short read slow path"
+
+  * backport "e1000: set RX descriptor status in a separate operation"
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 20 Jul 2022 09:17:07 +0200
+
+pve-qemu-kvm (7.0.0-1) bullseye; urgency=medium
+
+  * update to QEMU stable release 7.0.0
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 30 Jun 2022 11:07:37 +0200
+
 pve-qemu-kvm (6.2.0-11) bullseye; urgency=medium
 
   * add 'namespace' to BlockdevOptionsPbs for live-restore support

debian/control

@@ -16,21 +16,21 @@ Build-Depends: autotools-dev,
                libglusterfs-dev (>= 5.2-2),
                libgnutls28-dev,
                libiscsi-dev (>= 1.12.0),
-               libjemalloc-dev,
                libjpeg-dev,
                libjson-perl,
                libnuma-dev,
                libpci-dev,
                libpixman-1-dev,
-               libproxmox-backup-qemu0-dev (>= 1.3.0-1),
+               libproxmox-backup-qemu0-dev (>= 1.3.0),
                librbd-dev (>= 0.48),
                libsdl1.2-dev,
                libseccomp-dev,
+               libslirp-dev,
                libspice-protocol-dev (>= 0.12.14~),
                libspice-server-dev (>= 0.14.0~),
                libsystemd-dev,
                liburing-dev,
-               libusb-1.0-0-dev (>= 1.0.17-1),
+               libusb-1.0-0-dev (>= 1.0.17),
                libusbredirparser-dev (>= 0.6-2),
                libvirglrenderer-dev,
                libzstd-dev,
@@ -57,7 +57,6 @@ Depends: ceph-common (>= 0.48),
          libglusterfs-dev | glusterfs-common (>= 5.6),
          libglusterfs0 | glusterfs-common (>= 5.6),
          libiscsi4 (>= 1.12.0) | libiscsi7,
-         libjemalloc2,
          libjpeg62-turbo,
          libspice-server1 (>= 0.14.0~),
          libusb-1.0-0 (>= 1.0.17-1),
@@ -65,8 +64,8 @@ Depends: ceph-common (>= 0.48),
          libuuid1,
          ${misc:Depends},
          ${shlibs:Depends},
-Recommends: numactl
-Suggests: libgl1
+Recommends: numactl,
+Suggests: libgl1,
 Conflicts: kvm,
            pve-kvm,
            pve-qemu-kvm-2.6.18,
@@ -74,9 +73,10 @@ Conflicts: kvm,
            qemu-kvm,
            qemu-system-arm,
            qemu-system-common,
+           qemu-system-data,
            qemu-system-x86,
            qemu-utils,
-Provides: qemu-system-arm, qemu-system-x86, qemu-utils
+Provides: qemu-system-arm, qemu-system-x86, qemu-utils,
 Replaces: pve-kvm,
           pve-qemu-kvm-2.6.18,
           qemu-system-arm,
@@ -90,6 +90,6 @@ Description: Full virtualization on x86 hardware
 Package: pve-qemu-kvm-dbg
 Architecture: any
 Section: debug
-Depends: pve-qemu-kvm (= ${binary:Version})
+Depends: pve-qemu-kvm (= ${binary:Version}),
 Description: pve qemu debugging symbols
  This package contains the debugging symbols for pve-qemu-kvm.

debian/parse-machines.pl

@@ -24,4 +24,5 @@ while (<STDIN>) {
 
 die "no QEMU machine types detected from STDIN input" if scalar (@$machines) <= 0;
 
-print to_json($machines, { utf8 => 1 }) or die "$!\n";
+print to_json($machines, { utf8 => 1, canonical => 1 })
+    or die "failed to encode detected machines as JSON - $!\n";

debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch

@@ -28,18 +28,18 @@ Signed-off-by: John Snow <jsnow@redhat.com>
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
- block/mirror.c                   | 98 +++++++++++++++++++++++++-------
- blockdev.c                       | 39 ++++++++++++-
- include/block/block_int.h        |  4 +-
- qapi/block-core.json             | 29 ++++++++--
- tests/unit/test-block-iothread.c |  4 +-
+ block/mirror.c                         | 98 +++++++++++++++++++++-----
+ blockdev.c                             | 39 +++++++++-
+ include/block/block_int-global-state.h |  4 +-
+ qapi/block-core.json                   | 29 ++++++--
+ tests/unit/test-block-iothread.c       |  4 +-
  5 files changed, 145 insertions(+), 29 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index efec2c7674..f7804638f9 100644
+index 251adc5ae0..8ead5f77a0 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
-@@ -50,7 +50,7 @@ typedef struct MirrorBlockJob {
+@@ -51,7 +51,7 @@ typedef struct MirrorBlockJob {
      BlockDriverState *to_replace;
      /* Used to block operations on the drive-mirror-replace target */
      Error *replace_blocker;
@@ -48,7 +48,7 @@ index efec2c7674..f7804638f9 100644
      BlockMirrorBackingMode backing_mode;
      /* Whether the target image requires explicit zero-initialization */
      bool zero_target;
-@@ -64,6 +64,8 @@ typedef struct MirrorBlockJob {
+@@ -65,6 +65,8 @@ typedef struct MirrorBlockJob {
      size_t buf_size;
      int64_t bdev_length;
      unsigned long *cow_bitmap;
@@ -57,7 +57,7 @@ index efec2c7674..f7804638f9 100644
      BdrvDirtyBitmap *dirty_bitmap;
      BdrvDirtyBitmapIter *dbi;
      uint8_t *buf;
-@@ -695,7 +697,8 @@ static int mirror_exit_common(Job *job)
+@@ -699,7 +701,8 @@ static int mirror_exit_common(Job *job)
      bdrv_child_refresh_perms(mirror_top_bs, mirror_top_bs->backing,
                               &error_abort);
      if (!abort && s->backing_mode == MIRROR_SOURCE_BACKING_CHAIN) {
@@ -67,7 +67,7 @@ index efec2c7674..f7804638f9 100644
          BlockDriverState *unfiltered_target = bdrv_skip_filters(target_bs);
  
          if (bdrv_cow_bs(unfiltered_target) != backing) {
-@@ -800,6 +803,16 @@ static void mirror_abort(Job *job)
+@@ -797,6 +800,16 @@ static void mirror_abort(Job *job)
      assert(ret == 0);
  }
  
@@ -84,7 +84,7 @@ index efec2c7674..f7804638f9 100644
  static void coroutine_fn mirror_throttle(MirrorBlockJob *s)
  {
      int64_t now = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
-@@ -979,7 +992,8 @@ static int coroutine_fn mirror_run(Job *job, Error **errp)
+@@ -977,7 +990,8 @@ static int coroutine_fn mirror_run(Job *job, Error **errp)
      mirror_free_init(s);
  
      s->last_pause_ns = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
@@ -94,7 +94,7 @@ index efec2c7674..f7804638f9 100644
          ret = mirror_dirty_init(s);
          if (ret < 0 || job_is_cancelled(&s->common.job)) {
              goto immediate_exit;
-@@ -1221,6 +1235,7 @@ static const BlockJobDriver mirror_job_driver = {
+@@ -1224,6 +1238,7 @@ static const BlockJobDriver mirror_job_driver = {
          .run                    = mirror_run,
          .prepare                = mirror_prepare,
          .abort                  = mirror_abort,
@@ -102,7 +102,7 @@ index efec2c7674..f7804638f9 100644
          .pause                  = mirror_pause,
          .complete               = mirror_complete,
          .cancel                 = mirror_cancel,
-@@ -1237,6 +1252,7 @@ static const BlockJobDriver commit_active_job_driver = {
+@@ -1240,6 +1255,7 @@ static const BlockJobDriver commit_active_job_driver = {
          .run                    = mirror_run,
          .prepare                = mirror_prepare,
          .abort                  = mirror_abort,
@@ -110,7 +110,7 @@ index efec2c7674..f7804638f9 100644
          .pause                  = mirror_pause,
          .complete               = mirror_complete,
          .cancel                 = commit_active_cancel,
-@@ -1602,7 +1618,10 @@ static BlockJob *mirror_start_job(
+@@ -1627,7 +1643,10 @@ static BlockJob *mirror_start_job(
                               BlockCompletionFunc *cb,
                               void *opaque,
                               const BlockJobDriver *driver,
@@ -122,11 +122,12 @@ index efec2c7674..f7804638f9 100644
                               bool auto_complete, const char *filter_node_name,
                               bool is_mirror, MirrorCopyMode copy_mode,
                               Error **errp)
-@@ -1614,10 +1633,39 @@ static BlockJob *mirror_start_job(
+@@ -1639,10 +1658,39 @@ static BlockJob *mirror_start_job(
      uint64_t target_perms, target_shared_perms;
      int ret;
  
 -    if (granularity == 0) {
+-        granularity = bdrv_get_default_bitmap_granularity(target);
 +    if (sync_mode == MIRROR_SYNC_MODE_INCREMENTAL) {
 +        error_setg(errp, "Sync mode '%s' not supported",
 +                   MirrorSyncMode_str(sync_mode));
@@ -147,8 +148,8 @@ index efec2c7674..f7804638f9 100644
 +                   "sync mode '%s' is not compatible with bitmaps",
 +                   MirrorSyncMode_str(sync_mode));
 +        return NULL;
-+    }
-+
+     }
+ 
 +    if (bitmap) {
 +        if (granularity) {
 +            error_setg(errp, "granularity (%d)"
@@ -158,13 +159,12 @@ index efec2c7674..f7804638f9 100644
 +        }
 +        granularity = bdrv_dirty_bitmap_granularity(bitmap);
 +    } else if (granularity == 0) {
-         granularity = bdrv_get_default_bitmap_granularity(target);
-     }
--
++        granularity = bdrv_get_default_bitmap_granularity(target);
++    }
      assert(is_power_of_2(granularity));
  
      if (buf_size < 0) {
-@@ -1755,7 +1803,9 @@ static BlockJob *mirror_start_job(
+@@ -1774,7 +1822,9 @@ static BlockJob *mirror_start_job(
      s->replaces = g_strdup(replaces);
      s->on_source_error = on_source_error;
      s->on_target_error = on_target_error;
@@ -175,7 +175,7 @@ index efec2c7674..f7804638f9 100644
      s->backing_mode = backing_mode;
      s->zero_target = zero_target;
      s->copy_mode = copy_mode;
-@@ -1776,6 +1826,18 @@ static BlockJob *mirror_start_job(
+@@ -1795,6 +1845,18 @@ static BlockJob *mirror_start_job(
          bdrv_disable_dirty_bitmap(s->dirty_bitmap);
      }
  
@@ -194,7 +194,7 @@ index efec2c7674..f7804638f9 100644
      ret = block_job_add_bdrv(&s->common, "source", bs, 0,
                               BLK_PERM_WRITE_UNCHANGED | BLK_PERM_WRITE |
                               BLK_PERM_CONSISTENT_READ,
-@@ -1853,6 +1915,9 @@ fail:
+@@ -1872,6 +1934,9 @@ fail:
          if (s->dirty_bitmap) {
              bdrv_release_dirty_bitmap(s->dirty_bitmap);
          }
@@ -204,7 +204,7 @@ index efec2c7674..f7804638f9 100644
          job_early_fail(&s->common.job);
      }
  
-@@ -1870,29 +1935,23 @@ void mirror_start(const char *job_id, BlockDriverState *bs,
+@@ -1889,31 +1954,25 @@ void mirror_start(const char *job_id, BlockDriverState *bs,
                    BlockDriverState *target, const char *replaces,
                    int creation_flags, int64_t speed,
                    uint32_t granularity, int64_t buf_size,
@@ -221,6 +221,8 @@ index efec2c7674..f7804638f9 100644
 -    bool is_none_mode;
      BlockDriverState *base;
  
+     GLOBAL_STATE_CODE();
+ 
 -    if ((mode == MIRROR_SYNC_MODE_INCREMENTAL) ||
 -        (mode == MIRROR_SYNC_MODE_BITMAP)) {
 -        error_setg(errp, "Sync mode '%s' not supported",
@@ -239,7 +241,7 @@ index efec2c7674..f7804638f9 100644
  }
  
  BlockJob *commit_active_start(const char *job_id, BlockDriverState *bs,
-@@ -1917,7 +1976,8 @@ BlockJob *commit_active_start(const char *job_id, BlockDriverState *bs,
+@@ -1940,7 +1999,8 @@ BlockJob *commit_active_start(const char *job_id, BlockDriverState *bs,
                       job_id, bs, creation_flags, base, NULL, speed, 0, 0,
                       MIRROR_LEAVE_BACKING_CHAIN, false,
                       on_error, on_error, true, cb, opaque,
@@ -250,7 +252,7 @@ index efec2c7674..f7804638f9 100644
                       errp);
      if (!job) {
 diff --git a/blockdev.c b/blockdev.c
-index b35072644e..9940116fe0 100644
+index ae27a41efa..a0c7e0c13b 100644
 --- a/blockdev.c
 +++ b/blockdev.c
 @@ -2956,6 +2956,10 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
@@ -341,11 +343,11 @@ index b35072644e..9940116fe0 100644
                             zero_target, has_speed, speed,
                             has_granularity, granularity,
                             has_buf_size, buf_size,
-diff --git a/include/block/block_int.h b/include/block/block_int.h
-index f4c75e8ba9..ee0aeb1414 100644
---- a/include/block/block_int.h
-+++ b/include/block/block_int.h
-@@ -1287,7 +1287,9 @@ void mirror_start(const char *job_id, BlockDriverState *bs,
+diff --git a/include/block/block_int-global-state.h b/include/block/block_int-global-state.h
+index b49f4eb35b..9d744db618 100644
+--- a/include/block/block_int-global-state.h
++++ b/include/block/block_int-global-state.h
+@@ -149,7 +149,9 @@ void mirror_start(const char *job_id, BlockDriverState *bs,
                    BlockDriverState *target, const char *replaces,
                    int creation_flags, int64_t speed,
                    uint32_t granularity, int64_t buf_size,
@@ -357,10 +359,10 @@ index f4c75e8ba9..ee0aeb1414 100644
                    BlockdevOnError on_source_error,
                    BlockdevOnError on_target_error,
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 1d3dd9cb48..da5dca1e3b 100644
+index 95ac4fa634..7daaf545be 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -1995,10 +1995,19 @@
+@@ -2000,10 +2000,19 @@
  #        (all the disk, only the sectors allocated in the topmost image, or
  #        only new I/O).
  #
@@ -381,7 +383,7 @@ index 1d3dd9cb48..da5dca1e3b 100644
  #
  # @buf-size: maximum amount of data in flight from source to
  #            target (since 1.4).
-@@ -2036,7 +2045,9 @@
+@@ -2043,7 +2052,9 @@
  { 'struct': 'DriveMirror',
    'data': { '*job-id': 'str', 'device': 'str', 'target': 'str',
              '*format': 'str', '*node-name': 'str', '*replaces': 'str',
@@ -392,7 +394,7 @@ index 1d3dd9cb48..da5dca1e3b 100644
              '*speed': 'int', '*granularity': 'uint32',
              '*buf-size': 'int', '*on-source-error': 'BlockdevOnError',
              '*on-target-error': 'BlockdevOnError',
-@@ -2308,10 +2319,19 @@
+@@ -2322,10 +2333,19 @@
  #        (all the disk, only the sectors allocated in the topmost image, or
  #        only new I/O).
  #
@@ -413,7 +415,7 @@ index 1d3dd9cb48..da5dca1e3b 100644
  #
  # @buf-size: maximum amount of data in flight from source to
  #            target
-@@ -2360,7 +2380,8 @@
+@@ -2375,7 +2395,8 @@
  { 'command': 'blockdev-mirror',
    'data': { '*job-id': 'str', 'device': 'str', 'target': 'str',
              '*replaces': 'str',
@@ -424,10 +426,10 @@ index 1d3dd9cb48..da5dca1e3b 100644
              '*buf-size': 'int', '*on-source-error': 'BlockdevOnError',
              '*on-target-error': 'BlockdevOnError',
 diff --git a/tests/unit/test-block-iothread.c b/tests/unit/test-block-iothread.c
-index aea660aeed..22b9770a3e 100644
+index 8ca5adec5e..dae80e5a5f 100644
 --- a/tests/unit/test-block-iothread.c
 +++ b/tests/unit/test-block-iothread.c
-@@ -626,8 +626,8 @@ static void test_propagate_mirror(void)
+@@ -755,8 +755,8 @@ static void test_propagate_mirror(void)
  
      /* Start a mirror job */
      mirror_start("job0", src, target, NULL, JOB_DEFAULT, 0, 0, 0,
@@ -437,4 +439,4 @@ index aea660aeed..22b9770a3e 100644
 +                 false, BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT,
                   false, "filter_node", MIRROR_COPY_MODE_BACKGROUND,
                   &error_abort);
-     job = job_get("job0");
+     WITH_JOB_LOCK_GUARD() {

debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch

@@ -24,10 +24,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 18 insertions(+), 6 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index f7804638f9..4f5f74e2cf 100644
+index 8ead5f77a0..35c1b8f25d 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
-@@ -672,8 +672,6 @@ static int mirror_exit_common(Job *job)
+@@ -676,8 +676,6 @@ static int mirror_exit_common(Job *job)
          bdrv_unfreeze_backing_chain(mirror_top_bs, target_bs);
      }
  
@@ -36,9 +36,9 @@ index f7804638f9..4f5f74e2cf 100644
      /* Make sure that the source BDS doesn't go away during bdrv_replace_node,
       * before we can call bdrv_drained_end */
      bdrv_ref(src);
-@@ -781,6 +779,18 @@ static int mirror_exit_common(Job *job)
-     blk_set_perm(bjob->blk, 0, BLK_PERM_ALL, &error_abort);
-     blk_insert_bs(bjob->blk, mirror_top_bs, &error_abort);
+@@ -778,6 +776,18 @@ static int mirror_exit_common(Job *job)
+     block_job_remove_all_bdrv(bjob);
+     bdrv_replace_node(mirror_top_bs, mirror_top_bs->backing->bs, &error_abort);
  
 +    if (s->sync_bitmap) {
 +        if (s->bitmap_mode == BITMAP_SYNC_MODE_ALWAYS ||
@@ -55,7 +55,7 @@ index f7804638f9..4f5f74e2cf 100644
      bs_opaque->job = NULL;
  
      bdrv_drained_end(src);
-@@ -1643,10 +1653,6 @@ static BlockJob *mirror_start_job(
+@@ -1668,10 +1678,6 @@ static BlockJob *mirror_start_job(
                         " sync mode",
                         MirrorSyncMode_str(sync_mode));
              return NULL;
@@ -66,7 +66,7 @@ index f7804638f9..4f5f74e2cf 100644
          }
      } else if (bitmap) {
          error_setg(errp,
-@@ -1663,6 +1669,12 @@ static BlockJob *mirror_start_job(
+@@ -1688,6 +1694,12 @@ static BlockJob *mirror_start_job(
              return NULL;
          }
          granularity = bdrv_dirty_bitmap_granularity(bitmap);

debian/patches/bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch

@@ -16,7 +16,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/blockdev.c b/blockdev.c
-index 9940116fe0..b113e57d68 100644
+index a0c7e0c13b..98b9dff154 100644
 --- a/blockdev.c
 +++ b/blockdev.c
 @@ -3055,6 +3055,9 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,

debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch

@@ -16,10 +16,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 4 insertions(+), 7 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index 4f5f74e2cf..7024f3bbf0 100644
+index 35c1b8f25d..4969c6833c 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
-@@ -785,8 +785,8 @@ static int mirror_exit_common(Job *job)
+@@ -782,8 +782,8 @@ static int mirror_exit_common(Job *job)
               job->ret == 0 && ret == 0)) {
              /* Success; synchronize copy back to sync. */
              bdrv_clear_dirty_bitmap(s->sync_bitmap, NULL);
@@ -30,7 +30,7 @@ index 4f5f74e2cf..7024f3bbf0 100644
          }
      }
      bdrv_release_dirty_bitmap(s->dirty_bitmap);
-@@ -1843,11 +1843,8 @@ static BlockJob *mirror_start_job(
+@@ -1862,11 +1862,8 @@ static BlockJob *mirror_start_job(
      }
  
      if (s->sync_mode == MIRROR_SYNC_MODE_BITMAP) {

debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch

@@ -19,10 +19,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  3 files changed, 70 insertions(+), 59 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index 7024f3bbf0..6211ff22fc 100644
+index 4969c6833c..cf85ae1074 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
-@@ -1643,31 +1643,13 @@ static BlockJob *mirror_start_job(
+@@ -1668,31 +1668,13 @@ static BlockJob *mirror_start_job(
      uint64_t target_perms, target_shared_perms;
      int ret;
  
@@ -60,7 +60,7 @@ index 7024f3bbf0..6211ff22fc 100644
  
          if (bitmap_mode != BITMAP_SYNC_MODE_NEVER) {
 diff --git a/blockdev.c b/blockdev.c
-index b113e57d68..4be0863050 100644
+index 98b9dff154..5b15a86bfa 100644
 --- a/blockdev.c
 +++ b/blockdev.c
 @@ -3034,7 +3034,36 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,

debian/patches/extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch

@@ -48,7 +48,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  6 files changed, 59 insertions(+), 5 deletions(-)
 
 diff --git a/include/monitor/monitor.h b/include/monitor/monitor.h
-index 12d395d62d..b182943324 100644
+index 737e750670..38804b8595 100644
 --- a/include/monitor/monitor.h
 +++ b/include/monitor/monitor.h
 @@ -16,6 +16,7 @@ extern QemuOptsList qemu_mon_opts;
@@ -60,10 +60,10 @@ index 12d395d62d..b182943324 100644
  void monitor_init_globals(void);
  void monitor_init_globals_core(void);
 diff --git a/monitor/monitor-internal.h b/monitor/monitor-internal.h
-index 3da3f86c6a..9953e0cd2d 100644
+index a2cdbbf646..b531bd50e7 100644
 --- a/monitor/monitor-internal.h
 +++ b/monitor/monitor-internal.h
-@@ -151,6 +151,13 @@ typedef struct {
+@@ -152,6 +152,13 @@ typedef struct {
      QemuMutex qmp_queue_lock;
      /* Input queue that holds all the parsed QMP requests */
      GQueue *qmp_requests;
@@ -78,7 +78,7 @@ index 3da3f86c6a..9953e0cd2d 100644
  
  /**
 diff --git a/monitor/monitor.c b/monitor/monitor.c
-index 21c7a68758..ad9813567a 100644
+index 86949024f6..c306cadcf4 100644
 --- a/monitor/monitor.c
 +++ b/monitor/monitor.c
 @@ -135,6 +135,21 @@ bool monitor_cur_is_qmp(void)
@@ -104,7 +104,7 @@ index 21c7a68758..ad9813567a 100644
   * Is @mon is using readline?
   * Note: not all HMP monitors use readline, e.g., gdbserver has a
 diff --git a/monitor/qmp.c b/monitor/qmp.c
-index 092c527b6f..6b8cfcf6d8 100644
+index acd0a350c2..cc1407e4ac 100644
 --- a/monitor/qmp.c
 +++ b/monitor/qmp.c
 @@ -141,6 +141,8 @@ static void monitor_qmp_dispatch(MonitorQMP *mon, QObject *req)
@@ -135,7 +135,7 @@ index 092c527b6f..6b8cfcf6d8 100644
      qobject_unref(rsp);
  }
  
-@@ -444,6 +456,7 @@ static void monitor_qmp_event(void *opaque, QEMUChrEvent event)
+@@ -427,6 +439,7 @@ static void monitor_qmp_event(void *opaque, QEMUChrEvent event)
  
      switch (event) {
      case CHR_EVENT_OPENED:
@@ -144,10 +144,10 @@ index 092c527b6f..6b8cfcf6d8 100644
          monitor_qmp_caps_reset(mon);
          data = qmp_greeting(mon);
 diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c
-index d378bccac7..fb8936e7cd 100644
+index 5d000fae87..404d428824 100644
 --- a/qapi/qmp-dispatch.c
 +++ b/qapi/qmp-dispatch.c
-@@ -118,16 +118,28 @@ typedef struct QmpDispatchBH {
+@@ -117,16 +117,28 @@ typedef struct QmpDispatchBH {
      QObject **ret;
      Error **errp;
      Coroutine *co;
@@ -180,19 +180,19 @@ index d378bccac7..fb8936e7cd 100644
      aio_co_wake(data->co);
  }
  
-@@ -232,6 +244,7 @@ QDict *qmp_dispatch(const QmpCommandList *cmds, QObject *request,
+@@ -253,6 +265,7 @@ QDict *qmp_dispatch(const QmpCommandList *cmds, QObject *request,
              .ret        = &ret,
              .errp       = &err,
              .co         = qemu_coroutine_self(),
 +            .conn_nr    = monitor_get_connection_nr(cur_mon),
          };
-         aio_bh_schedule_oneshot(qemu_get_aio_context(), do_qmp_dispatch_bh,
+         aio_bh_schedule_oneshot(iohandler_get_aio_context(), do_qmp_dispatch_bh,
                                  &data);
 diff --git a/stubs/monitor-core.c b/stubs/monitor-core.c
-index d058a2a00d..3290b58120 100644
+index afa477aae6..d3ff124bf3 100644
 --- a/stubs/monitor-core.c
 +++ b/stubs/monitor-core.c
-@@ -13,6 +13,11 @@ Monitor *monitor_set_cur(Coroutine *co, Monitor *mon)
+@@ -12,6 +12,11 @@ Monitor *monitor_set_cur(Coroutine *co, Monitor *mon)
      return NULL;
  }
  

debian/patches/extra/0002-init-daemonize-defuse-PID-file-resolve-error.patch

@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Fri, 28 Oct 2022 10:09:46 +0200
+Subject: [PATCH] init: daemonize: defuse PID file resolve error
+
+When proxmox-file-restore invokes QEMU, the PID file is a (temporary)
+file that's already unlinked, so resolving the absolute path here
+failed.
+
+It should not be a critical error when the PID file unlink handler
+can't be registered, because the path can't be resolved for whatever
+reason. If the file is already gone from QEMU's perspective (i.e.
+errno is ENOENT), silently ignore the error. Otherwise, print a
+warning.
+
+Reported-by: Dominik Csapak <d.csapak@proxmox.com>
+Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ softmmu/vl.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/softmmu/vl.c b/softmmu/vl.c
+index 38d76d6e51..7aa3eb5cf9 100644
+--- a/softmmu/vl.c
++++ b/softmmu/vl.c
+@@ -2468,10 +2468,11 @@ static void qemu_maybe_daemonize(const char *pid_file)
+ 
+         pid_file_realpath = g_malloc0(PATH_MAX);
+         if (!realpath(pid_file, pid_file_realpath)) {
+-            error_report("cannot resolve PID file path: %s: %s",
+-                         pid_file, strerror(errno));
+-            unlink(pid_file);
+-            exit(1);
++            if (errno != ENOENT) {
++                warn_report("not removing PID file on exit: cannot resolve PID "
++                            "file path: %s: %s", pid_file, strerror(errno));
++            }
++            return;
+         }
+ 
+         qemu_unlink_pidfile_notifier = (struct UnlinkPidfileNotifier) {

debian/patches/extra/0002-monitor-hmp-add-support-for-flag-argument-with-value.patch

@@ -1,55 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stefan Reiter <s.reiter@proxmox.com>
-Date: Wed, 1 Sep 2021 16:51:04 +0200
-Subject: [PATCH] monitor/hmp: add support for flag argument with value
-
-Adds support for the "-xS" parameter type, where "-x" denotes a flag
-name and the "S" suffix indicates that this flag is supposed to take an
-arbitrary string parameter.
-
-These parameters are always optional, the entry in the qdict will be
-omitted if the flag is not given.
-
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- monitor/hmp.c | 17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/monitor/hmp.c b/monitor/hmp.c
-index b20737e63c..b29dbb1833 100644
---- a/monitor/hmp.c
-+++ b/monitor/hmp.c
-@@ -981,6 +981,7 @@ static QDict *monitor_parse_arguments(Monitor *mon,
-             {
-                 const char *tmp = p;
-                 int skip_key = 0;
-+                int ret;
-                 /* option */
- 
-                 c = *typestr++;
-@@ -1003,8 +1004,22 @@ static QDict *monitor_parse_arguments(Monitor *mon,
-                     }
-                     if (skip_key) {
-                         p = tmp;
-+                    } else if (*typestr == 'S') {
-+                        /* has option with string value */
-+                        typestr++;
-+                        tmp = p++;
-+                        while (qemu_isspace(*p)) {
-+                            p++;
-+                        }
-+                        ret = get_str(buf, sizeof(buf), &p);
-+                        if (ret < 0) {
-+                            monitor_printf(mon, "%s: value expected for -%c\n",
-+                                           cmd->name, *tmp);
-+                            goto fail;
-+                        }
-+                        qdict_put_str(qdict, key, buf);
-                     } else {
--                        /* has option */
-+                        /* has boolean option */
-                         p++;
-                         qdict_put_bool(qdict, key, true);
-                     }

debian/patches/extra/0003-monitor-refactor-set-expire_password-and-allow-VNC-d.patch

@@ -1,477 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stefan Reiter <s.reiter@proxmox.com>
-Date: Wed, 25 Aug 2021 11:14:13 +0200
-Subject: [PATCH] monitor: refactor set/expire_password and allow VNC display
- id
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It is possible to specify more than one VNC server on the command line,
-either with an explicit ID or the auto-generated ones à la "default",
-"vnc2", "vnc3", ...
-
-It is not possible to change the password on one of these extra VNC
-displays though. Fix this by adding a "display" parameter to the
-"set_password" and "expire_password" QMP and HMP commands.
-
-For HMP, the display is specified using the "-d" value flag.
-
-For QMP, the schema is updated to explicitly express the supported
-variants of the commands with protocol-discriminated unions.
-
-Suggested-by: Eric Blake <eblake@redhat.com>
-Suggested-by: Markus Armbruster <armbru@redhat.com>
-Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
----
- hmp-commands.hx    |  24 ++++---
- monitor/hmp-cmds.c |  57 +++++++++++++++-
- monitor/qmp-cmds.c |  62 ++++++-----------
- qapi/ui.json       | 165 ++++++++++++++++++++++++++++++++++++++-------
- 4 files changed, 231 insertions(+), 77 deletions(-)
-
-diff --git a/hmp-commands.hx b/hmp-commands.hx
-index 70a9136ac2..5efb47fc32 100644
---- a/hmp-commands.hx
-+++ b/hmp-commands.hx
-@@ -1514,33 +1514,35 @@ ERST
- 
-     {
-         .name       = "set_password",
--        .args_type  = "protocol:s,password:s,connected:s?",
--        .params     = "protocol password action-if-connected",
-+        .args_type  = "protocol:s,password:s,display:-dS,connected:s?",
-+        .params     = "protocol password [-d display] [action-if-connected]",
-         .help       = "set spice/vnc password",
-         .cmd        = hmp_set_password,
-     },
- 
- SRST
--``set_password [ vnc | spice ] password [ action-if-connected ]``
--  Change spice/vnc password.  *action-if-connected* specifies what
--  should happen in case a connection is established: *fail* makes the
--  password change fail.  *disconnect* changes the password and
-+``set_password [ vnc | spice ] password [ -d display ] [ action-if-connected ]``
-+  Change spice/vnc password.  *display* can be used with 'vnc' to specify
-+  which display to set the password on.  *action-if-connected* specifies
-+  what should happen in case a connection is established: *fail* makes
-+  the password change fail.  *disconnect* changes the password and
-   disconnects the client.  *keep* changes the password and keeps the
-   connection up.  *keep* is the default.
- ERST
- 
-     {
-         .name       = "expire_password",
--        .args_type  = "protocol:s,time:s",
--        .params     = "protocol time",
-+        .args_type  = "protocol:s,time:s,display:-dS",
-+        .params     = "protocol time [-d display]",
-         .help       = "set spice/vnc password expire-time",
-         .cmd        = hmp_expire_password,
-     },
- 
- SRST
--``expire_password [ vnc | spice ]`` *expire-time*
--  Specify when a password for spice/vnc becomes
--  invalid. *expire-time* accepts:
-+``expire_password [ vnc | spice ] expire-time [ -d display ]``
-+  Specify when a password for spice/vnc becomes invalid.
-+  *display* behaves the same as in ``set_password``.
-+  *expire-time* accepts:
- 
-   ``now``
-     Invalidate password instantly.
-diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
-index 9c91bf93e9..2e91ccb738 100644
---- a/monitor/hmp-cmds.c
-+++ b/monitor/hmp-cmds.c
-@@ -1384,10 +1384,41 @@ void hmp_set_password(Monitor *mon, const QDict *qdict)
- {
-     const char *protocol  = qdict_get_str(qdict, "protocol");
-     const char *password  = qdict_get_str(qdict, "password");
-+    const char *display = qdict_get_try_str(qdict, "display");
-     const char *connected = qdict_get_try_str(qdict, "connected");
-     Error *err = NULL;
-+    DisplayProtocol proto;
- 
--    qmp_set_password(protocol, password, !!connected, connected, &err);
-+    SetPasswordOptions opts = {
-+        .password = g_strdup(password),
-+        .u.vnc.display = NULL,
-+    };
-+
-+    proto = qapi_enum_parse(&DisplayProtocol_lookup, protocol,
-+                            DISPLAY_PROTOCOL_VNC, &err);
-+    if (err) {
-+        hmp_handle_error(mon, err);
-+        return;
-+    }
-+    opts.protocol = proto;
-+
-+    if (proto == DISPLAY_PROTOCOL_VNC) {
-+        opts.u.vnc.has_display = !!display;
-+        opts.u.vnc.display = g_strdup(display);
-+    } else if (proto == DISPLAY_PROTOCOL_SPICE) {
-+        opts.u.spice.has_connected = !!connected;
-+        opts.u.spice.connected =
-+            qapi_enum_parse(&SetPasswordAction_lookup, connected,
-+                            SET_PASSWORD_ACTION_KEEP, &err);
-+        if (err) {
-+            hmp_handle_error(mon, err);
-+            return;
-+        }
-+    }
-+
-+    qmp_set_password(&opts, &err);
-+    g_free(opts.password);
-+    g_free(opts.u.vnc.display);
-     hmp_handle_error(mon, err);
- }
- 
-@@ -1395,9 +1426,31 @@ void hmp_expire_password(Monitor *mon, const QDict *qdict)
- {
-     const char *protocol  = qdict_get_str(qdict, "protocol");
-     const char *whenstr = qdict_get_str(qdict, "time");
-+    const char *display = qdict_get_try_str(qdict, "display");
-     Error *err = NULL;
-+    DisplayProtocol proto;
- 
--    qmp_expire_password(protocol, whenstr, &err);
-+    ExpirePasswordOptions opts = {
-+        .time = g_strdup(whenstr),
-+        .u.vnc.display = NULL,
-+    };
-+
-+    proto = qapi_enum_parse(&DisplayProtocol_lookup, protocol,
-+                            DISPLAY_PROTOCOL_VNC, &err);
-+    if (err) {
-+        hmp_handle_error(mon, err);
-+        return;
-+    }
-+    opts.protocol = proto;
-+
-+    if (proto == DISPLAY_PROTOCOL_VNC) {
-+        opts.u.vnc.has_display = !!display;
-+        opts.u.vnc.display = g_strdup(display);
-+    }
-+
-+    qmp_expire_password(&opts, &err);
-+    g_free(opts.time);
-+    g_free(opts.u.vnc.display);
-     hmp_handle_error(mon, err);
- }
- 
-diff --git a/monitor/qmp-cmds.c b/monitor/qmp-cmds.c
-index 343353e27a..729ca7cceb 100644
---- a/monitor/qmp-cmds.c
-+++ b/monitor/qmp-cmds.c
-@@ -167,45 +167,30 @@ void qmp_system_wakeup(Error **errp)
-     qemu_system_wakeup_request(QEMU_WAKEUP_REASON_OTHER, errp);
- }
- 
--void qmp_set_password(const char *protocol, const char *password,
--                      bool has_connected, const char *connected, Error **errp)
-+void qmp_set_password(SetPasswordOptions *opts, Error **errp)
- {
--    int disconnect_if_connected = 0;
--    int fail_if_connected = 0;
--    int rc;
-+    bool disconnect_if_connected = false;
-+    bool fail_if_connected = false;
-+    int rc = 0;
- 
--    if (has_connected) {
--        if (strcmp(connected, "fail") == 0) {
--            fail_if_connected = 1;
--        } else if (strcmp(connected, "disconnect") == 0) {
--            disconnect_if_connected = 1;
--        } else if (strcmp(connected, "keep") == 0) {
--            /* nothing */
--        } else {
--            error_setg(errp, QERR_INVALID_PARAMETER, "connected");
--            return;
--        }
--    }
--
--    if (strcmp(protocol, "spice") == 0) {
-+    if (opts->protocol == DISPLAY_PROTOCOL_SPICE) {
-         if (!qemu_using_spice(errp)) {
-             return;
-         }
--        rc = qemu_spice.set_passwd(password, fail_if_connected,
-+        if (opts->u.spice.has_connected) {
-+            fail_if_connected =
-+                opts->u.spice.connected == SET_PASSWORD_ACTION_FAIL;
-+            disconnect_if_connected =
-+                opts->u.spice.connected == SET_PASSWORD_ACTION_DISCONNECT;
-+        }
-+        rc = qemu_spice.set_passwd(opts->password, fail_if_connected,
-                                    disconnect_if_connected);
--    } else if (strcmp(protocol, "vnc") == 0) {
--        if (fail_if_connected || disconnect_if_connected) {
--            /* vnc supports "connected=keep" only */
--            error_setg(errp, QERR_INVALID_PARAMETER, "connected");
--            return;
--        }
-+    } else if (opts->protocol == DISPLAY_PROTOCOL_VNC) {
-         /* Note that setting an empty password will not disable login through
-          * this interface. */
--        rc = vnc_display_password(NULL, password);
--    } else {
--        error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "protocol",
--                   "'vnc' or 'spice'");
--        return;
-+        rc = vnc_display_password(
-+                opts->u.vnc.has_display ? opts->u.vnc.display : NULL,
-+                opts->password);
-     }
- 
-     if (rc != 0) {
-@@ -213,11 +198,11 @@ void qmp_set_password(const char *protocol, const char *password,
-     }
- }
- 
--void qmp_expire_password(const char *protocol, const char *whenstr,
--                         Error **errp)
-+void qmp_expire_password(ExpirePasswordOptions *opts, Error **errp)
- {
-     time_t when;
-     int rc;
-+    const char* whenstr = opts->time;
- 
-     if (strcmp(whenstr, "now") == 0) {
-         when = 0;
-@@ -229,17 +214,14 @@ void qmp_expire_password(const char *protocol, const char *whenstr,
-         when = strtoull(whenstr, NULL, 10);
-     }
- 
--    if (strcmp(protocol, "spice") == 0) {
-+    if (opts->protocol == DISPLAY_PROTOCOL_SPICE) {
-         if (!qemu_using_spice(errp)) {
-             return;
-         }
-         rc = qemu_spice.set_pw_expire(when);
--    } else if (strcmp(protocol, "vnc") == 0) {
--        rc = vnc_display_pw_expire(NULL, when);
--    } else {
--        error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "protocol",
--                   "'vnc' or 'spice'");
--        return;
-+    } else if (opts->protocol == DISPLAY_PROTOCOL_VNC) {
-+        rc = vnc_display_pw_expire(
-+                opts->u.vnc.has_display ? opts->u.vnc.display : NULL, when);
-     }
- 
-     if (rc != 0) {
-diff --git a/qapi/ui.json b/qapi/ui.json
-index d7567ac866..4244c62c30 100644
---- a/qapi/ui.json
-+++ b/qapi/ui.json
-@@ -9,22 +9,23 @@
- { 'include': 'common.json' }
- { 'include': 'sockets.json' }
- 
-+##
-+# @DisplayProtocol:
-+#
-+# Display protocols which support changing password options.
-+#
-+# Since: 6.2
-+#
-+##
-+{ 'enum': 'DisplayProtocol',
-+  'data': [ { 'name': 'vnc', 'if': 'CONFIG_VNC' },
-+            { 'name': 'spice', 'if': 'CONFIG_SPICE' } ] }
-+
- ##
- # @set_password:
- #
- # Sets the password of a remote display session.
- #
--# @protocol: - 'vnc' to modify the VNC server password
--#            - 'spice' to modify the Spice server password
--#
--# @password: the new password
--#
--# @connected: how to handle existing clients when changing the
--#             password.  If nothing is specified, defaults to 'keep'
--#             'fail' to fail the command if clients are connected
--#             'disconnect' to disconnect existing clients
--#             'keep' to maintain existing clients
--#
- # Returns: - Nothing on success
- #          - If Spice is not enabled, DeviceNotFound
- #
-@@ -37,16 +38,123 @@
- # <- { "return": {} }
- #
- ##
--{ 'command': 'set_password',
--  'data': {'protocol': 'str', 'password': 'str', '*connected': 'str'} }
-+{ 'command': 'set_password', 'boxed': true, 'data': 'SetPasswordOptions' }
-+
-+##
-+# @SetPasswordOptions:
-+#
-+# Data required to set a new password on a display server protocol.
-+#
-+# @protocol: - 'vnc' to modify the VNC server password
-+#            - 'spice' to modify the Spice server password
-+#
-+# @password: the new password
-+#
-+# Since: 6.2
-+#
-+##
-+{ 'union': 'SetPasswordOptions',
-+  'base': { 'protocol': 'DisplayProtocol',
-+            'password': 'str' },
-+  'discriminator': 'protocol',
-+  'data': { 'vnc': 'SetPasswordOptionsVnc',
-+            'spice': 'SetPasswordOptionsSpice' } }
-+
-+##
-+# @SetPasswordAction:
-+#
-+# An action to take on changing a password on a connection with active clients.
-+#
-+# @fail: fail the command if clients are connected
-+#
-+# @disconnect: disconnect existing clients
-+#
-+# @keep: maintain existing clients
-+#
-+# Since: 6.2
-+#
-+##
-+{ 'enum': 'SetPasswordAction',
-+  'data': [ 'fail', 'disconnect', 'keep' ] }
-+
-+##
-+# @SetPasswordActionVnc:
-+#
-+# See @SetPasswordAction. VNC only supports the keep action. 'connection'
-+# should just be omitted for VNC, this is kept for backwards compatibility.
-+#
-+# @keep: maintain existing clients
-+#
-+# Since: 6.2
-+#
-+##
-+{ 'enum': 'SetPasswordActionVnc',
-+  'data': [ 'keep' ] }
-+
-+##
-+# @SetPasswordOptionsSpice:
-+#
-+# Options for set_password specific to the VNC procotol.
-+#
-+# @connected: How to handle existing clients when changing the
-+#             password. If nothing is specified, defaults to 'keep'.
-+#
-+# Since: 6.2
-+#
-+##
-+{ 'struct': 'SetPasswordOptionsSpice',
-+  'data': { '*connected': 'SetPasswordAction' } }
-+
-+##
-+# @SetPasswordOptionsVnc:
-+#
-+# Options for set_password specific to the VNC procotol.
-+#
-+# @display: The id of the display where the password should be changed.
-+#           Defaults to the first.
-+#
-+# @connected: How to handle existing clients when changing the
-+#             password.
-+#
-+# Features:
-+# @deprecated: For VNC, @connected will always be 'keep', parameter should be
-+#              omitted.
-+#
-+# Since: 6.2
-+#
-+##
-+{ 'struct': 'SetPasswordOptionsVnc',
-+  'data': { '*display': 'str',
-+            '*connected': { 'type': 'SetPasswordActionVnc',
-+                            'features': ['deprecated'] } } }
- 
- ##
- # @expire_password:
- #
- # Expire the password of a remote display server.
- #
--# @protocol: the name of the remote display protocol 'vnc' or 'spice'
-+# Returns: - Nothing on success
-+#          - If @protocol is 'spice' and Spice is not active, DeviceNotFound
- #
-+# Since: 0.14
-+#
-+# Example:
-+#
-+# -> { "execute": "expire_password", "arguments": { "protocol": "vnc",
-+#                                                   "time": "+60" } }
-+# <- { "return": {} }
-+#
-+##
-+{ 'command': 'expire_password', 'boxed': true, 'data': 'ExpirePasswordOptions' }
-+
-+##
-+# @ExpirePasswordOptions:
-+#
-+# Data required to set password expiration on a display server protocol.
-+#
-+# @protocol: - 'vnc' to modify the VNC server expiration
-+#            - 'spice' to modify the Spice server expiration
-+
- # @time: when to expire the password.
- #
- #        - 'now' to expire the password immediately
-@@ -54,24 +162,33 @@
- #        - '+INT' where INT is the number of seconds from now (integer)
- #        - 'INT' where INT is the absolute time in seconds
- #
--# Returns: - Nothing on success
--#          - If @protocol is 'spice' and Spice is not active, DeviceNotFound
--#
--# Since: 0.14
--#
- # Notes: Time is relative to the server and currently there is no way to
- #        coordinate server time with client time.  It is not recommended to
- #        use the absolute time version of the @time parameter unless you're
- #        sure you are on the same machine as the QEMU instance.
- #
--# Example:
-+# Since: 6.2
- #
--# -> { "execute": "expire_password", "arguments": { "protocol": "vnc",
--#                                                   "time": "+60" } }
--# <- { "return": {} }
-+##
-+{ 'union': 'ExpirePasswordOptions',
-+  'base': { 'protocol': 'DisplayProtocol',
-+            'time': 'str' },
-+  'discriminator': 'protocol',
-+  'data': { 'vnc': 'ExpirePasswordOptionsVnc' } }
-+
-+##
-+# @ExpirePasswordOptionsVnc:
-+#
-+# Options for expire_password specific to the VNC procotol.
-+#
-+# @display: The id of the display where the expiration should be changed.
-+#           Defaults to the first.
-+#
-+# Since: 6.2
- #
- ##
--{ 'command': 'expire_password', 'data': {'protocol': 'str', 'time': 'str'} }
-+{ 'struct': 'ExpirePasswordOptionsVnc',
-+  'data': { '*display': 'str' } }
- 
- ##
- # @screendump:

debian/patches/extra/0003-scsi-megasas-Internal-cdbs-have-16-byte-length.patch

@@ -0,0 +1,69 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Tue, 28 Feb 2023 09:11:29 -0800
+Subject: [PATCH] scsi: megasas: Internal cdbs have 16-byte length
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Host drivers do not necessarily set cdb_len in megasas io commands.
+With commits 6d1511cea0 ("scsi: Reject commands if the CDB length
+exceeds buf_len") and fe9d8927e2 ("scsi: Add buf_len parameter to
+scsi_req_new()"), this results in failures to boot Linux from affected
+SCSI drives because cdb_len is set to 0 by the host driver.
+Set the cdb length to its actual size to solve the problem.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+(picked-up from https://lists.nongnu.org/archive/html/qemu-devel/2023-02/msg08653.html)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/scsi/megasas.c | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 9cbbb16121..d624866bb6 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -1780,7 +1780,7 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
+     uint8_t cdb[16];
+     int len;
+     struct SCSIDevice *sdev = NULL;
+-    int target_id, lun_id, cdb_len;
++    int target_id, lun_id;
+ 
+     lba_count = le32_to_cpu(cmd->frame->io.header.data_len);
+     lba_start_lo = le32_to_cpu(cmd->frame->io.lba_lo);
+@@ -1789,7 +1789,6 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
+ 
+     target_id = cmd->frame->header.target_id;
+     lun_id = cmd->frame->header.lun_id;
+-    cdb_len = cmd->frame->header.cdb_len;
+ 
+     if (target_id < MFI_MAX_LD && lun_id == 0) {
+         sdev = scsi_device_find(&s->bus, 0, target_id, lun_id);
+@@ -1804,15 +1803,6 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
+         return MFI_STAT_DEVICE_NOT_FOUND;
+     }
+ 
+-    if (cdb_len > 16) {
+-        trace_megasas_scsi_invalid_cdb_len(
+-            mfi_frame_desc(frame_cmd), 1, target_id, lun_id, cdb_len);
+-        megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
+-        cmd->frame->header.scsi_status = CHECK_CONDITION;
+-        s->event_count++;
+-        return MFI_STAT_SCSI_DONE_WITH_ERROR;
+-    }
+-
+     cmd->iov_size = lba_count * sdev->blocksize;
+     if (megasas_map_sgl(s, cmd, &cmd->frame->io.sgl)) {
+         megasas_write_sense(cmd, SENSE_CODE(TARGET_FAILURE));
+@@ -1823,7 +1813,7 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
+ 
+     megasas_encode_lba(cdb, lba_start, lba_count, is_write);
+     cmd->req = scsi_req_new(sdev, cmd->index,
+-                            lun_id, cdb, cdb_len, cmd);
++                            lun_id, cdb, sizeof(cdb), cmd);
+     if (!cmd->req) {
+         trace_megasas_scsi_req_alloc_failed(
+             mfi_frame_desc(frame_cmd), target_id, lun_id);

debian/patches/extra/0004-ide-avoid-potential-deadlock-when-draining-during-tr.patch

@@ -0,0 +1,100 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Tue, 7 Mar 2023 15:03:02 +0100
+Subject: [PATCH] ide: avoid potential deadlock when draining during trim
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The deadlock can happen as follows:
+1. ide_issue_trim is called, and increments the in_flight counter.
+2. ide_issue_trim_cb calls blk_aio_pdiscard.
+3. Somebody else starts draining (e.g. backup to insert the cbw node).
+4. ide_issue_trim_cb is called as the completion callback for
+   blk_aio_pdiscard.
+5. ide_issue_trim_cb issues yet another blk_aio_pdiscard request.
+6. The request is added to the wait queue via blk_wait_while_drained,
+   because draining has been started.
+7. Nobody ever decrements the in_flight counter and draining can't
+   finish. This would be done by ide_trim_bh_cb, which is called after
+   ide_issue_trim_cb has issued its last request, but
+   ide_issue_trim_cb is not called anymore, because it's the
+   completion callback of blk_aio_pdiscard, which waits on draining.
+
+Quoting Hanna Czenczek:
+> The point of 7e5cdb345f was that we need any in-flight count to
+> accompany a set s->bus->dma->aiocb. While blk_aio_pdiscard() is
+> happening, we don’t necessarily need another count. But we do need
+> it while there is no blk_aio_pdiscard().
+> ide_issue_trim_cb() returns in two cases (and, recursively through
+> its callers, leaves s->bus->dma->aiocb set):
+> 1. After calling blk_aio_pdiscard(), which will keep an in-flight
+>    count,
+> 2. After calling replay_bh_schedule_event() (i.e.
+>    qemu_bh_schedule()), which does not keep an in-flight count.
+
+Thus, even after moving the blk_inc_in_flight to above the
+replay_bh_schedule_event call, the invariant "ide_issue_trim_cb
+returns with an accompanying in-flight count" is still satisfied.
+
+However, the issue 7e5cdb345f fixed for canceling resurfaces, because
+ide_cancel_dma_sync assumes that it just needs to drain once. But now
+the in_flight count is not consistently > 0 during the trim operation.
+So, change it to drain until !s->bus->dma->aiocb, which means that the
+operation finished (s->bus->dma->aiocb is cleared by ide_set_inactive
+via the ide_dma_cb when the end of the transfer is reached).
+
+Discussion here:
+https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg02506.html
+
+Fixes: 7e5cdb345f ("ide: Increment BB in-flight counter for TRIM BH")
+Suggested-by: Hanna Czenczek <hreitz@redhat.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/ide/core.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index 3e97d665d9..a0f6801bce 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -443,7 +443,7 @@ static void ide_trim_bh_cb(void *opaque)
+     iocb->bh = NULL;
+     qemu_aio_unref(iocb);
+ 
+-    /* Paired with an increment in ide_issue_trim() */
++    /* Paired with an increment in ide_issue_trim_cb() */
+     blk_dec_in_flight(blk);
+ }
+ 
+@@ -503,6 +503,8 @@ static void ide_issue_trim_cb(void *opaque, int ret)
+ done:
+     iocb->aiocb = NULL;
+     if (iocb->bh) {
++        /* Paired with a decrement in ide_trim_bh_cb() */
++        blk_inc_in_flight(s->blk);
+         replay_bh_schedule_event(iocb->bh);
+     }
+ }
+@@ -515,9 +517,6 @@ BlockAIOCB *ide_issue_trim(
+     IDEDevice *dev = s->unit ? s->bus->slave : s->bus->master;
+     TrimAIOCB *iocb;
+ 
+-    /* Paired with a decrement in ide_trim_bh_cb() */
+-    blk_inc_in_flight(s->blk);
+-
+     iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque);
+     iocb->s = s;
+     iocb->bh = qemu_bh_new_guarded(ide_trim_bh_cb, iocb,
+@@ -741,8 +740,9 @@ void ide_cancel_dma_sync(IDEState *s)
+      */
+     if (s->bus->dma->aiocb) {
+         trace_ide_cancel_dma_sync_remaining();
+-        blk_drain(s->blk);
+-        assert(s->bus->dma->aiocb == NULL);
++        while (s->bus->dma->aiocb) {
++            blk_drain(s->blk);
++        }
+     }
+ }
+ 

debian/patches/extra/0005-target-arm-align-exposed-ID-registers-with-Linux.patch

@@ -0,0 +1,273 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhuojia Shen <chaosdefinition@hotmail.com>
+Date: Wed, 10 Apr 2024 08:43:24 +0300
+Subject: [PATCH] target/arm: align exposed ID registers with Linux
+
+In CPUID registers exposed to userspace, some registers were missing
+and some fields were not exposed.  This patch aligns exposed ID
+registers and their fields with what the upstream kernel currently
+exposes.
+
+Specifically, the following new ID registers/fields are exposed to
+userspace:
+
+ID_AA64PFR1_EL1.BT:       bits 3-0
+ID_AA64PFR1_EL1.MTE:      bits 11-8
+ID_AA64PFR1_EL1.SME:      bits 27-24
+
+ID_AA64ZFR0_EL1.SVEver:   bits 3-0
+ID_AA64ZFR0_EL1.AES:      bits 7-4
+ID_AA64ZFR0_EL1.BitPerm:  bits 19-16
+ID_AA64ZFR0_EL1.BF16:     bits 23-20
+ID_AA64ZFR0_EL1.SHA3:     bits 35-32
+ID_AA64ZFR0_EL1.SM4:      bits 43-40
+ID_AA64ZFR0_EL1.I8MM:     bits 47-44
+ID_AA64ZFR0_EL1.F32MM:    bits 55-52
+ID_AA64ZFR0_EL1.F64MM:    bits 59-56
+
+ID_AA64SMFR0_EL1.F32F32:  bit 32
+ID_AA64SMFR0_EL1.B16F32:  bit 34
+ID_AA64SMFR0_EL1.F16F32:  bit 35
+ID_AA64SMFR0_EL1.I8I32:   bits 39-36
+ID_AA64SMFR0_EL1.F64F64:  bit 48
+ID_AA64SMFR0_EL1.I16I64:  bits 55-52
+ID_AA64SMFR0_EL1.FA64:    bit 63
+
+ID_AA64MMFR0_EL1.ECV:     bits 63-60
+
+ID_AA64MMFR1_EL1.AFP:     bits 47-44
+
+ID_AA64MMFR2_EL1.AT:      bits 35-32
+
+ID_AA64ISAR0_EL1.RNDR:    bits 63-60
+
+ID_AA64ISAR1_EL1.FRINTTS: bits 35-32
+ID_AA64ISAR1_EL1.BF16:    bits 47-44
+ID_AA64ISAR1_EL1.DGH:     bits 51-48
+ID_AA64ISAR1_EL1.I8MM:    bits 55-52
+
+ID_AA64ISAR2_EL1.WFxT:    bits 3-0
+ID_AA64ISAR2_EL1.RPRES:   bits 7-4
+ID_AA64ISAR2_EL1.GPA3:    bits 11-8
+ID_AA64ISAR2_EL1.APA3:    bits 15-12
+
+The code is also refactored to use symbolic names for ID register fields
+for better readability and maintainability.
+
+The test case in tests/tcg/aarch64/sysregs.c is also updated to match
+the intended behavior.
+
+Signed-off-by: Zhuojia Shen <chaosdefinition@hotmail.com>
+Message-id: DS7PR12MB6309FB585E10772928F14271ACE79@DS7PR12MB6309.namprd12.prod.outlook.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+[PMM: use Sn_n_Cn_Cn_n syntax to work with older assemblers
+that don't recognize id_aa64isar2_el1 and id_aa64mmfr2_el1]
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit bc6bd20ee3538347afb750c4bd06edca4a922897)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(Mjt: pick this for v8.0.0-2361-g1f51573f79
+ "target/arm: Fix SME full tile indexing")
+---
+ target/arm/helper.c               | 96 +++++++++++++++++++++++++------
+ tests/tcg/aarch64/Makefile.target |  7 ++-
+ tests/tcg/aarch64/sysregs.c       | 24 ++++++--
+ 3 files changed, 103 insertions(+), 24 deletions(-)
+
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index 2e284e048c..acc0470e86 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -7852,31 +7852,89 @@ void register_cp_regs_for_features(ARMCPU *cpu)
+ #ifdef CONFIG_USER_ONLY
+         static const ARMCPRegUserSpaceInfo v8_user_idregs[] = {
+             { .name = "ID_AA64PFR0_EL1",
+-              .exported_bits = 0x000f000f00ff0000,
+-              .fixed_bits    = 0x0000000000000011 },
++              .exported_bits = R_ID_AA64PFR0_FP_MASK |
++                               R_ID_AA64PFR0_ADVSIMD_MASK |
++                               R_ID_AA64PFR0_SVE_MASK |
++                               R_ID_AA64PFR0_DIT_MASK,
++              .fixed_bits = (0x1u << R_ID_AA64PFR0_EL0_SHIFT) |
++                            (0x1u << R_ID_AA64PFR0_EL1_SHIFT) },
+             { .name = "ID_AA64PFR1_EL1",
+-              .exported_bits = 0x00000000000000f0 },
++              .exported_bits = R_ID_AA64PFR1_BT_MASK |
++                               R_ID_AA64PFR1_SSBS_MASK |
++                               R_ID_AA64PFR1_MTE_MASK |
++                               R_ID_AA64PFR1_SME_MASK },
+             { .name = "ID_AA64PFR*_EL1_RESERVED",
+-              .is_glob = true                     },
+-            { .name = "ID_AA64ZFR0_EL1"           },
++              .is_glob = true },
++            { .name = "ID_AA64ZFR0_EL1",
++              .exported_bits = R_ID_AA64ZFR0_SVEVER_MASK |
++                               R_ID_AA64ZFR0_AES_MASK |
++                               R_ID_AA64ZFR0_BITPERM_MASK |
++                               R_ID_AA64ZFR0_BFLOAT16_MASK |
++                               R_ID_AA64ZFR0_SHA3_MASK |
++                               R_ID_AA64ZFR0_SM4_MASK |
++                               R_ID_AA64ZFR0_I8MM_MASK |
++                               R_ID_AA64ZFR0_F32MM_MASK |
++                               R_ID_AA64ZFR0_F64MM_MASK },
++            { .name = "ID_AA64SMFR0_EL1",
++              .exported_bits = R_ID_AA64SMFR0_F32F32_MASK |
++                               R_ID_AA64SMFR0_B16F32_MASK |
++                               R_ID_AA64SMFR0_F16F32_MASK |
++                               R_ID_AA64SMFR0_I8I32_MASK |
++                               R_ID_AA64SMFR0_F64F64_MASK |
++                               R_ID_AA64SMFR0_I16I64_MASK |
++                               R_ID_AA64SMFR0_FA64_MASK },
+             { .name = "ID_AA64MMFR0_EL1",
+-              .fixed_bits    = 0x00000000ff000000 },
+-            { .name = "ID_AA64MMFR1_EL1"          },
++              .exported_bits = R_ID_AA64MMFR0_ECV_MASK,
++              .fixed_bits = (0xfu << R_ID_AA64MMFR0_TGRAN64_SHIFT) |
++                            (0xfu << R_ID_AA64MMFR0_TGRAN4_SHIFT) },
++            { .name = "ID_AA64MMFR1_EL1",
++              .exported_bits = R_ID_AA64MMFR1_AFP_MASK },
++            { .name = "ID_AA64MMFR2_EL1",
++              .exported_bits = R_ID_AA64MMFR2_AT_MASK },
+             { .name = "ID_AA64MMFR*_EL1_RESERVED",
+-              .is_glob = true                     },
++              .is_glob = true },
+             { .name = "ID_AA64DFR0_EL1",
+-              .fixed_bits    = 0x0000000000000006 },
+-            { .name = "ID_AA64DFR1_EL1"           },
++              .fixed_bits = (0x6u << R_ID_AA64DFR0_DEBUGVER_SHIFT) },
++            { .name = "ID_AA64DFR1_EL1" },
+             { .name = "ID_AA64DFR*_EL1_RESERVED",
+-              .is_glob = true                     },
++              .is_glob = true },
+             { .name = "ID_AA64AFR*",
+-              .is_glob = true                     },
++              .is_glob = true },
+             { .name = "ID_AA64ISAR0_EL1",
+-              .exported_bits = 0x00fffffff0fffff0 },
++              .exported_bits = R_ID_AA64ISAR0_AES_MASK |
++                               R_ID_AA64ISAR0_SHA1_MASK |
++                               R_ID_AA64ISAR0_SHA2_MASK |
++                               R_ID_AA64ISAR0_CRC32_MASK |
++                               R_ID_AA64ISAR0_ATOMIC_MASK |
++                               R_ID_AA64ISAR0_RDM_MASK |
++                               R_ID_AA64ISAR0_SHA3_MASK |
++                               R_ID_AA64ISAR0_SM3_MASK |
++                               R_ID_AA64ISAR0_SM4_MASK |
++                               R_ID_AA64ISAR0_DP_MASK |
++                               R_ID_AA64ISAR0_FHM_MASK |
++                               R_ID_AA64ISAR0_TS_MASK |
++                               R_ID_AA64ISAR0_RNDR_MASK },
+             { .name = "ID_AA64ISAR1_EL1",
+-              .exported_bits = 0x000000f0ffffffff },
++              .exported_bits = R_ID_AA64ISAR1_DPB_MASK |
++                               R_ID_AA64ISAR1_APA_MASK |
++                               R_ID_AA64ISAR1_API_MASK |
++                               R_ID_AA64ISAR1_JSCVT_MASK |
++                               R_ID_AA64ISAR1_FCMA_MASK |
++                               R_ID_AA64ISAR1_LRCPC_MASK |
++                               R_ID_AA64ISAR1_GPA_MASK |
++                               R_ID_AA64ISAR1_GPI_MASK |
++                               R_ID_AA64ISAR1_FRINTTS_MASK |
++                               R_ID_AA64ISAR1_SB_MASK |
++                               R_ID_AA64ISAR1_BF16_MASK |
++                               R_ID_AA64ISAR1_DGH_MASK |
++                               R_ID_AA64ISAR1_I8MM_MASK },
++            { .name = "ID_AA64ISAR2_EL1",
++              .exported_bits = R_ID_AA64ISAR2_WFXT_MASK |
++                               R_ID_AA64ISAR2_RPRES_MASK |
++                               R_ID_AA64ISAR2_GPA3_MASK |
++                               R_ID_AA64ISAR2_APA3_MASK },
+             { .name = "ID_AA64ISAR*_EL1_RESERVED",
+-              .is_glob = true                     },
++              .is_glob = true },
+         };
+         modify_arm_cp_regs(v8_idregs, v8_user_idregs);
+ #endif
+@@ -8194,8 +8252,12 @@ void register_cp_regs_for_features(ARMCPU *cpu)
+ #ifdef CONFIG_USER_ONLY
+         static const ARMCPRegUserSpaceInfo id_v8_user_midr_cp_reginfo[] = {
+             { .name = "MIDR_EL1",
+-              .exported_bits = 0x00000000ffffffff },
+-            { .name = "REVIDR_EL1"                },
++              .exported_bits = R_MIDR_EL1_REVISION_MASK |
++                               R_MIDR_EL1_PARTNUM_MASK |
++                               R_MIDR_EL1_ARCHITECTURE_MASK |
++                               R_MIDR_EL1_VARIANT_MASK |
++                               R_MIDR_EL1_IMPLEMENTER_MASK },
++            { .name = "REVIDR_EL1" },
+         };
+         modify_arm_cp_regs(id_v8_midr_cp_reginfo, id_v8_user_midr_cp_reginfo);
+ #endif
+diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
+index a72578fccb..fc6d5d824d 100644
+--- a/tests/tcg/aarch64/Makefile.target
++++ b/tests/tcg/aarch64/Makefile.target
+@@ -23,7 +23,8 @@ config-cc.mak: Makefile
+ 	    $(call cc-option,-march=armv8.1-a+sve2,         CROSS_CC_HAS_SVE2); \
+ 	    $(call cc-option,-march=armv8.3-a,              CROSS_CC_HAS_ARMV8_3); \
+ 	    $(call cc-option,-mbranch-protection=standard,  CROSS_CC_HAS_ARMV8_BTI); \
+-	    $(call cc-option,-march=armv8.5-a+memtag,       CROSS_CC_HAS_ARMV8_MTE)) 3> config-cc.mak
++	    $(call cc-option,-march=armv8.5-a+memtag,       CROSS_CC_HAS_ARMV8_MTE); \
++	    $(call cc-option,-march=armv9-a+sme,            CROSS_CC_HAS_ARMV9_SME)) 3> config-cc.mak
+ -include config-cc.mak
+ 
+ # Pauth Tests
+@@ -53,7 +54,11 @@ endif
+ ifneq ($(CROSS_CC_HAS_SVE),)
+ # System Registers Tests
+ AARCH64_TESTS += sysregs
++ifneq ($(CROSS_CC_HAS_ARMV9_SME),)
++sysregs: CFLAGS+=-march=armv9-a+sme -DHAS_ARMV9_SME
++else
+ sysregs: CFLAGS+=-march=armv8.1-a+sve
++endif
+ 
+ # SVE ioctl test
+ AARCH64_TESTS += sve-ioctls
+diff --git a/tests/tcg/aarch64/sysregs.c b/tests/tcg/aarch64/sysregs.c
+index 40cf8d2877..46b931f781 100644
+--- a/tests/tcg/aarch64/sysregs.c
++++ b/tests/tcg/aarch64/sysregs.c
+@@ -22,6 +22,13 @@
+ #define HWCAP_CPUID (1 << 11)
+ #endif
+ 
++/*
++ * Older assemblers don't recognize newer system register names,
++ * but we can still access them by the Sn_n_Cn_Cn_n syntax.
++ */
++#define SYS_ID_AA64ISAR2_EL1 S3_0_C0_C6_2
++#define SYS_ID_AA64MMFR2_EL1 S3_0_C0_C7_2
++
+ int failed_bit_count;
+ 
+ /* Read and print system register `id' value */
+@@ -112,18 +119,23 @@ int main(void)
+      * minimum valid fields - for the purposes of this check allowed
+      * to have non-zero values.
+      */
+-    get_cpu_reg_check_mask(id_aa64isar0_el1, _m(00ff,ffff,f0ff,fff0));
+-    get_cpu_reg_check_mask(id_aa64isar1_el1, _m(0000,00f0,ffff,ffff));
++    get_cpu_reg_check_mask(id_aa64isar0_el1, _m(f0ff,ffff,f0ff,fff0));
++    get_cpu_reg_check_mask(id_aa64isar1_el1, _m(00ff,f0ff,ffff,ffff));
++    get_cpu_reg_check_mask(SYS_ID_AA64ISAR2_EL1, _m(0000,0000,0000,ffff));
+     /* TGran4 & TGran64 as pegged to -1 */
+-    get_cpu_reg_check_mask(id_aa64mmfr0_el1, _m(0000,0000,ff00,0000));
+-    get_cpu_reg_check_zero(id_aa64mmfr1_el1);
++    get_cpu_reg_check_mask(id_aa64mmfr0_el1, _m(f000,0000,ff00,0000));
++    get_cpu_reg_check_mask(id_aa64mmfr1_el1, _m(0000,f000,0000,0000));
++    get_cpu_reg_check_mask(SYS_ID_AA64MMFR2_EL1, _m(0000,000f,0000,0000));
+     /* EL1/EL0 reported as AA64 only */
+     get_cpu_reg_check_mask(id_aa64pfr0_el1,  _m(000f,000f,00ff,0011));
+-    get_cpu_reg_check_mask(id_aa64pfr1_el1,  _m(0000,0000,0000,00f0));
++    get_cpu_reg_check_mask(id_aa64pfr1_el1,  _m(0000,0000,0f00,0fff));
+     /* all hidden, DebugVer fixed to 0x6 (ARMv8 debug architecture) */
+     get_cpu_reg_check_mask(id_aa64dfr0_el1,  _m(0000,0000,0000,0006));
+     get_cpu_reg_check_zero(id_aa64dfr1_el1);
+-    get_cpu_reg_check_zero(id_aa64zfr0_el1);
++    get_cpu_reg_check_mask(id_aa64zfr0_el1,  _m(0ff0,ff0f,00ff,00ff));
++#ifdef HAS_ARMV9_SME
++    get_cpu_reg_check_mask(id_aa64smfr0_el1, _m(80f1,00fd,0000,0000));
++#endif
+ 
+     get_cpu_reg_check_zero(id_aa64afr0_el1);
+     get_cpu_reg_check_zero(id_aa64afr1_el1);

debian/patches/extra/0006-block-io-Update-BSC-only-if-want_zero-is-true.patch

@@ -1,43 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hanna Reitz <hreitz@redhat.com>
-Date: Tue, 18 Jan 2022 17:59:59 +0100
-Subject: [PATCH] block/io: Update BSC only if want_zero is true
-
-We update the block-status cache whenever we get new information from a
-bdrv_co_block_status() call to the block driver.  However, if we have
-passed want_zero=false to that call, it may flag areas containing zeroes
-as data, and so we would update the block-status cache with wrong
-information.
-
-Therefore, we should not update the cache with want_zero=false.
-
-Reported-by: Nir Soffer <nsoffer@redhat.com>
-Fixes: 0bc329fbb00 ("block: block-status cache for data regions")
-Reviewed-by: Nir Soffer <nsoffer@redhat.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Hanna Reitz <hreitz@redhat.com>
-Message-Id: <20220118170000.49423-2-hreitz@redhat.com>
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Signed-off-by: Eric Blake <eblake@redhat.com>
----
- block/io.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/block/io.c b/block/io.c
-index bb0a254def..4e4cb556c5 100644
---- a/block/io.c
-+++ b/block/io.c
-@@ -2497,8 +2497,12 @@ static int coroutine_fn bdrv_co_block_status(BlockDriverState *bs,
-              * non-protocol nodes, and then it is never used.  However, filling
-              * the cache requires an RCU update, so double check here to avoid
-              * such an update if possible.
-+             *
-+             * Check want_zero, because we only want to update the cache when we
-+             * have accurate information about what is zero and what is data.
-              */
--            if (ret == (BDRV_BLOCK_DATA | BDRV_BLOCK_OFFSET_VALID) &&
-+            if (want_zero &&
-+                ret == (BDRV_BLOCK_DATA | BDRV_BLOCK_OFFSET_VALID) &&
-                 QLIST_EMPTY(&bs->children))
-             {
-                 /*

debian/patches/extra/0006-tests-tcg-aarch64-sysregs.c-Use-S-syntax-for-id_aa64.patch

@@ -0,0 +1,91 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Wed, 10 Apr 2024 08:43:25 +0300
+Subject: [PATCH] tests/tcg/aarch64/sysregs.c: Use S syntax for id_aa64zfr0_el1
+ and id_aa64smfr0_el1
+
+Some assemblers will complain about attempts to access
+id_aa64zfr0_el1 and id_aa64smfr0_el1 by name if the test
+binary isn't built for the right processor type:
+
+ /tmp/ccASXpLo.s:782: Error: selected processor does not support system register name 'id_aa64zfr0_el1'
+ /tmp/ccASXpLo.s:829: Error: selected processor does not support system register name 'id_aa64smfr0_el1'
+
+However, these registers are in the ID space and are guaranteed to
+read-as-zero on older CPUs, so the access is both safe and sensible.
+Switch to using the S syntax, as we already do for ID_AA64ISAR2_EL1
+and ID_AA64MMFR2_EL1.  This allows us to drop the HAS_ARMV9_SME check
+and the makefile machinery to adjust the CFLAGS for this test, so we
+don't rely on having a sufficiently new compiler to be able to check
+these registers.
+
+This means we're actually testing the SME ID register: no released
+GCC yet recognizes -march=armv9-a+sme, so that was always skipped.
+It also avoids a future problem if we try to switch the "do we have
+SME support in the toolchain" check from "in the compiler" to "in the
+assembler" (at which point we would otherwise run into the above
+errors).
+
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 3dc2afeab2964b54848715b913b6c605f36be3e1)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(Mjt: pick this for v8.0.0-2361-g1f51573f79
+ "target/arm: Fix SME full tile indexing")
+---
+ tests/tcg/aarch64/Makefile.target |  7 +------
+ tests/tcg/aarch64/sysregs.c       | 11 +++++++----
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
+index fc6d5d824d..118d069073 100644
+--- a/tests/tcg/aarch64/Makefile.target
++++ b/tests/tcg/aarch64/Makefile.target
+@@ -51,15 +51,10 @@ AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-5 mte-6 mte-7
+ mte-%: CFLAGS += -march=armv8.5-a+memtag
+ endif
+ 
+-ifneq ($(CROSS_CC_HAS_SVE),)
+ # System Registers Tests
+ AARCH64_TESTS += sysregs
+-ifneq ($(CROSS_CC_HAS_ARMV9_SME),)
+-sysregs: CFLAGS+=-march=armv9-a+sme -DHAS_ARMV9_SME
+-else
+-sysregs: CFLAGS+=-march=armv8.1-a+sve
+-endif
+ 
++ifneq ($(CROSS_CC_HAS_SVE),)
+ # SVE ioctl test
+ AARCH64_TESTS += sve-ioctls
+ sve-ioctls: CFLAGS+=-march=armv8.1-a+sve
+diff --git a/tests/tcg/aarch64/sysregs.c b/tests/tcg/aarch64/sysregs.c
+index 46b931f781..d8eb06abcf 100644
+--- a/tests/tcg/aarch64/sysregs.c
++++ b/tests/tcg/aarch64/sysregs.c
+@@ -25,9 +25,14 @@
+ /*
+  * Older assemblers don't recognize newer system register names,
+  * but we can still access them by the Sn_n_Cn_Cn_n syntax.
++ * This also means we don't need to specifically request that the
++ * assembler enables whatever architectural features the ID registers
++ * syntax might be gated behind.
+  */
+ #define SYS_ID_AA64ISAR2_EL1 S3_0_C0_C6_2
+ #define SYS_ID_AA64MMFR2_EL1 S3_0_C0_C7_2
++#define SYS_ID_AA64ZFR0_EL1 S3_0_C0_C4_4
++#define SYS_ID_AA64SMFR0_EL1 S3_0_C0_C4_5
+ 
+ int failed_bit_count;
+ 
+@@ -132,10 +137,8 @@ int main(void)
+     /* all hidden, DebugVer fixed to 0x6 (ARMv8 debug architecture) */
+     get_cpu_reg_check_mask(id_aa64dfr0_el1,  _m(0000,0000,0000,0006));
+     get_cpu_reg_check_zero(id_aa64dfr1_el1);
+-    get_cpu_reg_check_mask(id_aa64zfr0_el1,  _m(0ff0,ff0f,00ff,00ff));
+-#ifdef HAS_ARMV9_SME
+-    get_cpu_reg_check_mask(id_aa64smfr0_el1, _m(80f1,00fd,0000,0000));
+-#endif
++    get_cpu_reg_check_mask(SYS_ID_AA64ZFR0_EL1,  _m(0ff0,ff0f,00ff,00ff));
++    get_cpu_reg_check_mask(SYS_ID_AA64SMFR0_EL1, _m(80f1,00fd,0000,0000));
+ 
+     get_cpu_reg_check_zero(id_aa64afr0_el1);
+     get_cpu_reg_check_zero(id_aa64afr1_el1);

debian/patches/extra/0007-block-nbd-Delete-reconnect-delay-timer-when-done.patch

@@ -1,40 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hanna Reitz <hreitz@redhat.com>
-Date: Wed, 9 Feb 2022 15:02:52 +0100
-Subject: [PATCH] block/nbd: Delete reconnect delay timer when done
-
-We start the reconnect delay timer to cancel the reconnection attempt
-after a while.  Once nbd_co_do_establish_connection() has returned, this
-attempt is over, and we no longer need the timer.
-
-Delete it before returning from nbd_reconnect_attempt(), so that it does
-not persist beyond the I/O request that was paused for reconnecting; we
-do not want it to fire in a drained section, because all sort of things
-can happen in such a section (e.g. the AioContext might be changed, and
-we do not want the timer to fire in the wrong context; or the BDS might
-even be deleted, and so the timer CB would access already-freed data).
-
-Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
-Signed-off-by: Hanna Reitz <hreitz@redhat.com>
----
- block/nbd.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/block/nbd.c b/block/nbd.c
-index 5ef462db1b..b8e5a9b4cc 100644
---- a/block/nbd.c
-+++ b/block/nbd.c
-@@ -353,6 +353,13 @@ static coroutine_fn void nbd_reconnect_attempt(BDRVNBDState *s)
-     }
- 
-     nbd_co_do_establish_connection(s->bs, NULL);
-+
-+    /*
-+     * The reconnect attempt is done (maybe successfully, maybe not), so
-+     * we no longer need this timer.  Delete it so it will not outlive
-+     * this I/O request (so draining removes all timers).
-+     */
-+    reconnect_delay_timer_del(s);
- }
- 
- static coroutine_fn int nbd_receive_replies(BDRVNBDState *s, uint64_t handle)

debian/patches/extra/0007-target-arm-Fix-SME-full-tile-indexing.patch

@@ -0,0 +1,199 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Wed, 10 Apr 2024 08:43:26 +0300
+Subject: [PATCH] target/arm: Fix SME full tile indexing
+
+For the outer product set of insns, which take an entire matrix
+tile as output, the argument is not a combined tile+column.
+Therefore using get_tile_rowcol was incorrect, as we extracted
+the tile number from itself.
+
+The test case relies only on assembler support for SME, since
+no release of GCC recognizes -march=armv9-a+sme yet.
+
+Cc: qemu-stable@nongnu.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1620
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230622151201.1578522-5-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+[PMM: dropped now-unneeded changes to sysregs CFLAGS]
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 1f51573f7925b80e79a29f87c7d9d6ead60960c0)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ target/arm/translate-sme.c        | 24 ++++++---
+ tests/tcg/aarch64/Makefile.target |  7 ++-
+ tests/tcg/aarch64/sme-outprod1.c  | 83 +++++++++++++++++++++++++++++++
+ 3 files changed, 107 insertions(+), 7 deletions(-)
+ create mode 100644 tests/tcg/aarch64/sme-outprod1.c
+
+diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
+index 7b87a9df63..65f8495bdd 100644
+--- a/target/arm/translate-sme.c
++++ b/target/arm/translate-sme.c
+@@ -103,6 +103,21 @@ static TCGv_ptr get_tile_rowcol(DisasContext *s, int esz, int rs,
+     return addr;
+ }
+ 
++/*
++ * Resolve tile.size[0] to a host pointer.
++ * Used by e.g. outer product insns where we require the entire tile.
++ */
++static TCGv_ptr get_tile(DisasContext *s, int esz, int tile)
++{
++    TCGv_ptr addr = tcg_temp_new_ptr();
++    int offset;
++
++    offset = tile * sizeof(ARMVectorReg) + offsetof(CPUARMState, zarray);
++
++    tcg_gen_addi_ptr(addr, cpu_env, offset);
++    return addr;
++}
++
+ static bool trans_ZERO(DisasContext *s, arg_ZERO *a)
+ {
+     if (!dc_isar_feature(aa64_sme, s)) {
+@@ -279,8 +294,7 @@ static bool do_adda(DisasContext *s, arg_adda *a, MemOp esz,
+         return true;
+     }
+ 
+-    /* Sum XZR+zad to find ZAd. */
+-    za = get_tile_rowcol(s, esz, 31, a->zad, false);
++    za = get_tile(s, esz, a->zad);
+     zn = vec_full_reg_ptr(s, a->zn);
+     pn = pred_full_reg_ptr(s, a->pn);
+     pm = pred_full_reg_ptr(s, a->pm);
+@@ -310,8 +324,7 @@ static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,
+         return true;
+     }
+ 
+-    /* Sum XZR+zad to find ZAd. */
+-    za = get_tile_rowcol(s, esz, 31, a->zad, false);
++    za = get_tile(s, esz, a->zad);
+     zn = vec_full_reg_ptr(s, a->zn);
+     zm = vec_full_reg_ptr(s, a->zm);
+     pn = pred_full_reg_ptr(s, a->pn);
+@@ -337,8 +350,7 @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
+         return true;
+     }
+ 
+-    /* Sum XZR+zad to find ZAd. */
+-    za = get_tile_rowcol(s, esz, 31, a->zad, false);
++    za = get_tile(s, esz, a->zad);
+     zn = vec_full_reg_ptr(s, a->zn);
+     zm = vec_full_reg_ptr(s, a->zm);
+     pn = pred_full_reg_ptr(s, a->pn);
+diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
+index 118d069073..5e4ea7c998 100644
+--- a/tests/tcg/aarch64/Makefile.target
++++ b/tests/tcg/aarch64/Makefile.target
+@@ -24,7 +24,7 @@ config-cc.mak: Makefile
+ 	    $(call cc-option,-march=armv8.3-a,              CROSS_CC_HAS_ARMV8_3); \
+ 	    $(call cc-option,-mbranch-protection=standard,  CROSS_CC_HAS_ARMV8_BTI); \
+ 	    $(call cc-option,-march=armv8.5-a+memtag,       CROSS_CC_HAS_ARMV8_MTE); \
+-	    $(call cc-option,-march=armv9-a+sme,            CROSS_CC_HAS_ARMV9_SME)) 3> config-cc.mak
++	    $(call cc-option,-Wa$(COMMA)-march=armv9-a+sme, CROSS_AS_HAS_ARMV9_SME)) 3> config-cc.mak
+ -include config-cc.mak
+ 
+ # Pauth Tests
+@@ -51,6 +51,11 @@ AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-5 mte-6 mte-7
+ mte-%: CFLAGS += -march=armv8.5-a+memtag
+ endif
+ 
++# SME Tests
++ifneq ($(CROSS_AS_HAS_ARMV9_SME),)
++AARCH64_TESTS += sme-outprod1
++endif
++
+ # System Registers Tests
+ AARCH64_TESTS += sysregs
+ 
+diff --git a/tests/tcg/aarch64/sme-outprod1.c b/tests/tcg/aarch64/sme-outprod1.c
+new file mode 100644
+index 0000000000..6e5972d75e
+--- /dev/null
++++ b/tests/tcg/aarch64/sme-outprod1.c
+@@ -0,0 +1,83 @@
++/*
++ * SME outer product, 1 x 1.
++ * SPDX-License-Identifier: GPL-2.0-or-later
++ */
++
++#include <stdio.h>
++
++extern void foo(float *dst);
++
++asm(
++"	.arch_extension sme\n"
++"	.type foo, @function\n"
++"foo:\n"
++"	stp x29, x30, [sp, -80]!\n"
++"	mov x29, sp\n"
++"	stp d8, d9, [sp, 16]\n"
++"	stp d10, d11, [sp, 32]\n"
++"	stp d12, d13, [sp, 48]\n"
++"	stp d14, d15, [sp, 64]\n"
++"	smstart\n"
++"	ptrue p0.s, vl4\n"
++"	fmov z0.s, #1.0\n"
++/*
++ * An outer product of a vector of 1.0 by itself should be a matrix of 1.0.
++ * Note that we are using tile 1 here (za1.s) rather than tile 0.
++ */
++"	zero {za}\n"
++"	fmopa za1.s, p0/m, p0/m, z0.s, z0.s\n"
++/*
++ * Read the first 4x4 sub-matrix of elements from tile 1:
++ * Note that za1h should be interchangable here.
++ */
++"	mov w12, #0\n"
++"	mova z0.s, p0/m, za1v.s[w12, #0]\n"
++"	mova z1.s, p0/m, za1v.s[w12, #1]\n"
++"	mova z2.s, p0/m, za1v.s[w12, #2]\n"
++"	mova z3.s, p0/m, za1v.s[w12, #3]\n"
++/*
++ * And store them to the input pointer (dst in the C code):
++ */
++"	st1w {z0.s}, p0, [x0]\n"
++"	add x0, x0, #16\n"
++"	st1w {z1.s}, p0, [x0]\n"
++"	add x0, x0, #16\n"
++"	st1w {z2.s}, p0, [x0]\n"
++"	add x0, x0, #16\n"
++"	st1w {z3.s}, p0, [x0]\n"
++"	smstop\n"
++"	ldp d8, d9, [sp, 16]\n"
++"	ldp d10, d11, [sp, 32]\n"
++"	ldp d12, d13, [sp, 48]\n"
++"	ldp d14, d15, [sp, 64]\n"
++"	ldp x29, x30, [sp], 80\n"
++"	ret\n"
++"	.size foo, . - foo"
++);
++
++int main()
++{
++    float dst[16];
++    int i, j;
++
++    foo(dst);
++
++    for (i = 0; i < 16; i++) {
++        if (dst[i] != 1.0f) {
++            break;
++        }
++    }
++
++    if (i == 16) {
++        return 0; /* success */
++    }
++
++    /* failure */
++    for (i = 0; i < 4; ++i) {
++        for (j = 0; j < 4; ++j) {
++            printf("%f ", (double)dst[i * 4 + j]);
++        }
++        printf("\n");
++    }
++    return 1;
++}

debian/patches/extra/0008-block-nbd-Assert-there-are-no-timers-when-closed.patch

@@ -1,34 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hanna Reitz <hreitz@redhat.com>
-Date: Wed, 9 Feb 2022 15:02:54 +0100
-Subject: [PATCH] block/nbd: Assert there are no timers when closed
-
-Our two timers must not remain armed beyond nbd_clear_bdrvstate(), or
-they will access freed data when they fire.
-
-This patch is separate from the patches that actually fix the issue
-(HEAD^^ and HEAD^) so that you can run the associated regression iotest
-(281) on a configuration that reproducibly exposes the bug.
-
-Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
-Signed-off-by: Hanna Reitz <hreitz@redhat.com>
-[FE: backport (open_timer doesn't exist yet in 6.2.0)]
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
----
- block/nbd.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/block/nbd.c b/block/nbd.c
-index b8e5a9b4cc..aab20125d8 100644
---- a/block/nbd.c
-+++ b/block/nbd.c
-@@ -108,6 +108,9 @@ static void nbd_clear_bdrvstate(BlockDriverState *bs)
- 
-     yank_unregister_instance(BLOCKDEV_YANK_INSTANCE(bs->node_name));
- 
-+    /* Must not leave timers behind that would access freed data */
-+    assert(!s->reconnect_delay_timer);
-+
-     object_unref(OBJECT(s->tlscreds));
-     qapi_free_SocketAddress(s->saddr);
-     s->saddr = NULL;

debian/patches/extra/0008-system-qdev-monitor-move-drain_call_rcu-call-under-i.patch

@@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitrii Gavrilov <ds-gavr@yandex-team.ru>
+Date: Wed, 10 Apr 2024 08:43:28 +0300
+Subject: [PATCH] system/qdev-monitor: move drain_call_rcu call under if (!dev)
+ in qmp_device_add()
+
+Original goal of addition of drain_call_rcu to qmp_device_add was to cover
+the failure case of qdev_device_add. It seems call of drain_call_rcu was
+misplaced in 7bed89958bfbf40df what led to waiting for pending RCU callbacks
+under happy path too. What led to overall performance degradation of
+qmp_device_add.
+
+In this patch call of drain_call_rcu moved under handling of failure of
+qdev_device_add.
+
+Signed-off-by: Dmitrii Gavrilov <ds-gavr@yandex-team.ru>
+Message-ID: <20231103105602.90475-1-ds-gavr@yandex-team.ru>
+Fixes: 7bed89958bf ("device_core: use drain_call_rcu in in qmp_device_add", 2020-10-12)
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 012b170173bcaa14b9bc26209e0813311ac78489)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ softmmu/qdev-monitor.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/softmmu/qdev-monitor.c b/softmmu/qdev-monitor.c
+index 4b0ef65780..f4348443b0 100644
+--- a/softmmu/qdev-monitor.c
++++ b/softmmu/qdev-monitor.c
+@@ -853,19 +853,18 @@ void qmp_device_add(QDict *qdict, QObject **ret_data, Error **errp)
+         return;
+     }
+     dev = qdev_device_add(opts, errp);
+-
+-    /*
+-     * Drain all pending RCU callbacks. This is done because
+-     * some bus related operations can delay a device removal
+-     * (in this case this can happen if device is added and then
+-     * removed due to a configuration error)
+-     * to a RCU callback, but user might expect that this interface
+-     * will finish its job completely once qmp command returns result
+-     * to the user
+-     */
+-    drain_call_rcu();
+-
+     if (!dev) {
++        /*
++         * Drain all pending RCU callbacks. This is done because
++         * some bus related operations can delay a device removal
++         * (in this case this can happen if device is added and then
++         * removed due to a configuration error)
++         * to a RCU callback, but user might expect that this interface
++         * will finish its job completely once qmp command returns result
++         * to the user
++         */
++        drain_call_rcu();
++
+         qemu_opts_del(opts);
+         return;
+     }

debian/patches/extra/0009-block-nbd-Move-s-ioc-on-AioContext-change.patch

@@ -1,90 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hanna Reitz <hreitz@redhat.com>
-Date: Wed, 9 Feb 2022 15:02:57 +0100
-Subject: [PATCH] block/nbd: Move s->ioc on AioContext change
-
-s->ioc must always be attached to the NBD node's AioContext.  If that
-context changes, s->ioc must be attached to the new context.
-
-Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2033626
-Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
-Signed-off-by: Hanna Reitz <hreitz@redhat.com>
-[FE: backport (open_timer doesn't exist yet in 6.2.0)]
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
----
- block/nbd.c | 41 +++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 41 insertions(+)
-
-diff --git a/block/nbd.c b/block/nbd.c
-index aab20125d8..a3896c7f5f 100644
---- a/block/nbd.c
-+++ b/block/nbd.c
-@@ -2003,6 +2003,38 @@ static void nbd_cancel_in_flight(BlockDriverState *bs)
-     nbd_co_establish_connection_cancel(s->conn);
- }
- 
-+static void nbd_attach_aio_context(BlockDriverState *bs,
-+                                   AioContext *new_context)
-+{
-+    BDRVNBDState *s = bs->opaque;
-+
-+    /*
-+     * The reconnect_delay_timer is scheduled in I/O paths when the
-+     * connection is lost, to cancel the reconnection attempt after a
-+     * given time.  Once this attempt is done (successfully or not),
-+     * nbd_reconnect_attempt() ensures the timer is deleted before the
-+     * respective I/O request is resumed.
-+     * Since the AioContext can only be changed when a node is drained,
-+     * the reconnect_delay_timer cannot be active here.
-+     */
-+    assert(!s->reconnect_delay_timer);
-+
-+    if (s->ioc) {
-+        qio_channel_attach_aio_context(s->ioc, new_context);
-+    }
-+}
-+
-+static void nbd_detach_aio_context(BlockDriverState *bs)
-+{
-+    BDRVNBDState *s = bs->opaque;
-+
-+    assert(!s->reconnect_delay_timer);
-+
-+    if (s->ioc) {
-+        qio_channel_detach_aio_context(s->ioc);
-+    }
-+}
-+
- static BlockDriver bdrv_nbd = {
-     .format_name                = "nbd",
-     .protocol_name              = "nbd",
-@@ -2026,6 +2058,9 @@ static BlockDriver bdrv_nbd = {
-     .bdrv_dirname               = nbd_dirname,
-     .strong_runtime_opts        = nbd_strong_runtime_opts,
-     .bdrv_cancel_in_flight      = nbd_cancel_in_flight,
-+
-+    .bdrv_attach_aio_context    = nbd_attach_aio_context,
-+    .bdrv_detach_aio_context    = nbd_detach_aio_context,
- };
- 
- static BlockDriver bdrv_nbd_tcp = {
-@@ -2051,6 +2086,9 @@ static BlockDriver bdrv_nbd_tcp = {
-     .bdrv_dirname               = nbd_dirname,
-     .strong_runtime_opts        = nbd_strong_runtime_opts,
-     .bdrv_cancel_in_flight      = nbd_cancel_in_flight,
-+
-+    .bdrv_attach_aio_context    = nbd_attach_aio_context,
-+    .bdrv_detach_aio_context    = nbd_detach_aio_context,
- };
- 
- static BlockDriver bdrv_nbd_unix = {
-@@ -2076,6 +2114,9 @@ static BlockDriver bdrv_nbd_unix = {
-     .bdrv_dirname               = nbd_dirname,
-     .strong_runtime_opts        = nbd_strong_runtime_opts,
-     .bdrv_cancel_in_flight      = nbd_cancel_in_flight,
-+
-+    .bdrv_attach_aio_context    = nbd_attach_aio_context,
-+    .bdrv_detach_aio_context    = nbd_detach_aio_context,
- };
- 
- static void bdrv_nbd_init(void)

debian/patches/extra/0009-hw-scsi-lsi53c895a-stop-script-on-phase-mismatch.patch

@@ -0,0 +1,85 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sven Schnelle <svens@stackframe.org>
+Date: Wed, 10 Apr 2024 08:43:29 +0300
+Subject: [PATCH] hw/scsi/lsi53c895a: stop script on phase mismatch
+
+Netbsd isn't happy with qemu lsi53c895a emulation:
+
+cd0(esiop0:0:2:0): command with tag id 0 reset
+esiop0: autoconfiguration error: phase mismatch without command
+esiop0: autoconfiguration error: unhandled scsi interrupt, sist=0x80 sstat1=0x0 DSA=0x23a64b1 DSP=0x50
+
+This is because lsi_bad_phase() triggers a phase mismatch, which
+stops SCRIPT processing. However, after returning to
+lsi_command_complete(), SCRIPT is restarted with lsi_resume_script().
+Fix this by adding a return value to lsi_bad_phase(), and only resume
+script processing when lsi_bad_phase() didn't trigger a host interrupt.
+
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Tested-by: Helge Deller <deller@gmx.de>
+Message-ID: <20240302214453.2071388-1-svens@stackframe.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit a9198b3132d81a6bfc9fdbf6f3d3a514c2864674)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/scsi/lsi53c895a.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index ca619ed564..905f5ef237 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -570,8 +570,9 @@ static inline void lsi_set_phase(LSIState *s, int phase)
+     s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
+ }
+ 
+-static void lsi_bad_phase(LSIState *s, int out, int new_phase)
++static int lsi_bad_phase(LSIState *s, int out, int new_phase)
+ {
++    int ret = 0;
+     /* Trigger a phase mismatch.  */
+     if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
+         if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
+@@ -584,8 +585,10 @@ static void lsi_bad_phase(LSIState *s, int out, int new_phase)
+         trace_lsi_bad_phase_interrupt();
+         lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
+         lsi_stop_script(s);
++        ret = 1;
+     }
+     lsi_set_phase(s, new_phase);
++    return ret;
+ }
+ 
+ 
+@@ -789,7 +792,7 @@ static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
+ static void lsi_command_complete(SCSIRequest *req, size_t resid)
+ {
+     LSIState *s = LSI53C895A(req->bus->qbus.parent);
+-    int out;
++    int out, stop = 0;
+ 
+     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
+     trace_lsi_command_complete(req->status);
+@@ -797,7 +800,10 @@ static void lsi_command_complete(SCSIRequest *req, size_t resid)
+     s->command_complete = 2;
+     if (s->waiting && s->dbc != 0) {
+         /* Raise phase mismatch for short transfers.  */
+-        lsi_bad_phase(s, out, PHASE_ST);
++        stop = lsi_bad_phase(s, out, PHASE_ST);
++        if (stop) {
++            s->waiting = 0;
++        }
+     } else {
+         lsi_set_phase(s, PHASE_ST);
+     }
+@@ -807,7 +813,9 @@ static void lsi_command_complete(SCSIRequest *req, size_t resid)
+         lsi_request_free(s, s->current);
+         scsi_req_unref(req);
+     }
+-    lsi_resume_script(s);
++    if (!stop) {
++        lsi_resume_script(s);
++    }
+ }
+ 
+  /* Callback to indicate that the SCSI layer has completed a transfer.  */

debian/patches/extra/0010-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch

@@ -1,89 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Igor Mammedov <imammedo@redhat.com>
-Date: Mon, 27 Dec 2021 14:31:17 -0500
-Subject: [PATCH] acpi: fix QEMU crash when started with SLIC table
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-if QEMU is started with used provided SLIC table blob,
-
-  -acpitable sig=SLIC,oem_id='CRASH ',oem_table_id="ME",oem_rev=00002210,asl_compiler_id="",asl_compiler_rev=00000000,data=/dev/null
-it will assert with:
-
-  hw/acpi/aml-build.c:61:build_append_padded_str: assertion failed: (len <= maxlen)
-
-and following backtrace:
-
-  ...
-  build_append_padded_str (array=0x555556afe320, str=0x555556afdb2e "CRASH ME", maxlen=0x6, pad=0x20) at hw/acpi/aml-build.c:61
-  acpi_table_begin (desc=0x7fffffffd1b0, array=0x555556afe320) at hw/acpi/aml-build.c:1727
-  build_fadt (tbl=0x555556afe320, linker=0x555557ca3830, f=0x7fffffffd318, oem_id=0x555556afdb2e "CRASH ME", oem_table_id=0x555556afdb34 "ME") at hw/acpi/aml-build.c:2064
-  ...
-
-which happens due to acpi_table_begin() expecting NULL terminated
-oem_id and oem_table_id strings, which is normally the case, but
-in case of user provided SLIC table, oem_id points to table's blob
-directly and as result oem_id became longer than expected.
-
-Fix issue by handling oem_id consistently and make acpi_get_slic_oem()
-return NULL terminated strings.
-
-PS:
-After [1] refactoring, oem_id semantics became inconsistent, where
-NULL terminated string was coming from machine and old way pointer
-into byte array coming from -acpitable option. That used to work
-since build_header() wasn't expecting NULL terminated string and
-blindly copied the 1st 6 bytes only.
-
-However commit [2] broke that by replacing build_header() with
-acpi_table_begin(), which was expecting NULL terminated string
-and was checking oem_id size.
-
-1) 602b45820 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
-2)
-Fixes: 4b56e1e4eb08 ("acpi: build_fadt: use acpi_table_begin()/acpi_table_end() instead of build_header()")
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/786
-Signed-off-by: Igor Mammedov <imammedo@redhat.com>
-Message-Id: <20211227193120.1084176-2-imammedo@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Tested-by: Denis Lisov <dennis.lissov@gmail.com>
-Tested-by: Alexander Tsoy <alexander@tsoy.me>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry picked from commit 8cdb99af45365727ac17f45239a9b8c1d5155c6d)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- hw/acpi/core.c       | 4 ++--
- hw/i386/acpi-build.c | 2 ++
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/hw/acpi/core.c b/hw/acpi/core.c
-index 1e004d0078..3e811bf03c 100644
---- a/hw/acpi/core.c
-+++ b/hw/acpi/core.c
-@@ -345,8 +345,8 @@ int acpi_get_slic_oem(AcpiSlicOem *oem)
-         struct acpi_table_header *hdr = (void *)(u - sizeof(hdr->_length));
- 
-         if (memcmp(hdr->sig, "SLIC", 4) == 0) {
--            oem->id = hdr->oem_id;
--            oem->table_id = hdr->oem_table_id;
-+            oem->id = g_strndup(hdr->oem_id, 6);
-+            oem->table_id = g_strndup(hdr->oem_table_id, 8);
-             return 0;
-         }
-     }
-diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
-index a99c6e4fe3..570f82997b 100644
---- a/hw/i386/acpi-build.c
-+++ b/hw/i386/acpi-build.c
-@@ -2721,6 +2721,8 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine)
- 
-     /* Cleanup memory that's no longer used. */
-     g_array_free(table_offsets, true);
-+    g_free(slic_oem.id);
-+    g_free(slic_oem.table_id);
- }
- 
- static void acpi_ram_update(MemoryRegion *mr, GArray *data)

debian/patches/extra/0010-hw-scsi-lsi53c895a-add-missing-decrement-of-reentran.patch

@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sven Schnelle <svens@stackframe.org>
+Date: Wed, 10 Apr 2024 08:43:30 +0300
+Subject: [PATCH] hw/scsi/lsi53c895a: add missing decrement of reentrancy
+ counter
+
+When the maximum count of SCRIPTS instructions is reached, the code
+stops execution and returns, but fails to decrement the reentrancy
+counter. This effectively renders the SCSI controller unusable
+because on next entry the reentrancy counter is still above the limit.
+
+This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS
+loops.
+
+Fixes: b987718bbb ("hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)")
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Message-ID: <20240128202214.2644768-1-svens@stackframe.org>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Tested-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+(cherry picked from commit 8b09b7fe47082c69295a0fc0cc01b041b6385025)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/scsi/lsi53c895a.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 905f5ef237..c7a3964b5f 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -1167,6 +1167,7 @@ again:
+         lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
+         lsi_disconnect(s);
+         trace_lsi_execute_script_stop();
++        reentrancy_level--;
+         return;
+     }
+     insn = read_dword(s, s->dsp);

debian/patches/extra/0011-hw-scsi-lsi53c895a-add-timer-to-scripts-processing.patch

@@ -0,0 +1,173 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sven Schnelle <svens@stackframe.org>
+Date: Wed, 10 Apr 2024 08:43:31 +0300
+Subject: [PATCH] hw/scsi/lsi53c895a: add timer to scripts processing
+
+HP-UX 10.20 seems to make the lsi53c895a spinning on a memory location
+under certain circumstances. As the SCSI controller and CPU are not
+running at the same time this loop will never finish. After some
+time, the check loop interrupts with a unexpected device disconnect.
+This works, but is slow because the kernel resets the scsi controller.
+Instead of signaling UDC, start a timer and exit the loop. Until the
+timer fires, the CPU can process instructions which might changes the
+memory location.
+
+The limit of instructions is also reduced because scripts running on
+the SCSI processor are usually very short. This keeps the time until
+the loop is exit short.
+
+Suggested-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Message-ID: <20240229204407.1699260-1-svens@stackframe.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 9876359990dd4c8a48de65cf5e1c3d13e96a7f4e)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/scsi/lsi53c895a.c | 43 +++++++++++++++++++++++++++++++++----------
+ hw/scsi/trace-events |  2 ++
+ 2 files changed, 35 insertions(+), 10 deletions(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index c7a3964b5f..48c85d479c 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -188,7 +188,7 @@ static const char *names[] = {
+ #define LSI_TAG_VALID     (1 << 16)
+ 
+ /* Maximum instructions to process. */
+-#define LSI_MAX_INSN    10000
++#define LSI_MAX_INSN    100
+ 
+ typedef struct lsi_request {
+     SCSIRequest *req;
+@@ -205,6 +205,7 @@ enum {
+     LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */
+     LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */
+     LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */
++    LSI_WAIT_SCRIPTS, /* SCRIPTS stopped because of instruction count limit */
+ };
+ 
+ enum {
+@@ -224,6 +225,7 @@ struct LSIState {
+     MemoryRegion ram_io;
+     MemoryRegion io_io;
+     AddressSpace pci_io_as;
++    QEMUTimer *scripts_timer;
+ 
+     int carry; /* ??? Should this be an a visible register somewhere?  */
+     int status;
+@@ -415,6 +417,7 @@ static void lsi_soft_reset(LSIState *s)
+     s->sbr = 0;
+     assert(QTAILQ_EMPTY(&s->queue));
+     assert(!s->current);
++    timer_del(s->scripts_timer);
+ }
+ 
+ static int lsi_dma_40bit(LSIState *s)
+@@ -1135,6 +1138,12 @@ static void lsi_wait_reselect(LSIState *s)
+     }
+ }
+ 
++static void lsi_scripts_timer_start(LSIState *s)
++{
++    trace_lsi_scripts_timer_start();
++    timer_mod(s->scripts_timer, qemu_clock_get_us(QEMU_CLOCK_VIRTUAL) + 500);
++}
++
+ static void lsi_execute_script(LSIState *s)
+ {
+     PCIDevice *pci_dev = PCI_DEVICE(s);
+@@ -1144,6 +1153,11 @@ static void lsi_execute_script(LSIState *s)
+     int insn_processed = 0;
+     static int reentrancy_level;
+ 
++    if (s->waiting == LSI_WAIT_SCRIPTS) {
++        timer_del(s->scripts_timer);
++        s->waiting = LSI_NOWAIT;
++    }
++
+     reentrancy_level++;
+ 
+     s->istat1 |= LSI_ISTAT1_SRUN;
+@@ -1151,8 +1165,8 @@ again:
+     /*
+      * Some windows drivers make the device spin waiting for a memory location
+      * to change. If we have executed more than LSI_MAX_INSN instructions then
+-     * assume this is the case and force an unexpected device disconnect. This
+-     * is apparently sufficient to beat the drivers into submission.
++     * assume this is the case and start a timer. Until the timer fires, the
++     * host CPU has a chance to run and change the memory location.
+      *
+      * Another issue (CVE-2023-0330) can occur if the script is programmed to
+      * trigger itself again and again. Avoid this problem by stopping after
+@@ -1160,13 +1174,8 @@ again:
+      * which should be enough for all valid use cases).
+      */
+     if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
+-        if (!(s->sien0 & LSI_SIST0_UDC)) {
+-            qemu_log_mask(LOG_GUEST_ERROR,
+-                          "lsi_scsi: inf. loop with UDC masked");
+-        }
+-        lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
+-        lsi_disconnect(s);
+-        trace_lsi_execute_script_stop();
++        s->waiting = LSI_WAIT_SCRIPTS;
++        lsi_scripts_timer_start(s);
+         reentrancy_level--;
+         return;
+     }
+@@ -2205,6 +2214,9 @@ static int lsi_post_load(void *opaque, int version_id)
+         return -EINVAL;
+     }
+ 
++    if (s->waiting == LSI_WAIT_SCRIPTS) {
++        lsi_scripts_timer_start(s);
++    }
+     return 0;
+ }
+ 
+@@ -2302,6 +2314,15 @@ static const struct SCSIBusInfo lsi_scsi_info = {
+     .cancel = lsi_request_cancelled
+ };
+ 
++static void scripts_timer_cb(void *opaque)
++{
++    LSIState *s = opaque;
++
++    trace_lsi_scripts_timer_triggered();
++    s->waiting = LSI_NOWAIT;
++    lsi_execute_script(s);
++}
++
+ static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
+ {
+     LSIState *s = LSI53C895A(dev);
+@@ -2321,6 +2342,7 @@ static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
+                           "lsi-ram", 0x2000);
+     memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
+                           "lsi-io", 256);
++    s->scripts_timer = timer_new_us(QEMU_CLOCK_VIRTUAL, scripts_timer_cb, s);
+ 
+     /*
+      * Since we use the address-space API to interact with ram_io, disable the
+@@ -2345,6 +2367,7 @@ static void lsi_scsi_exit(PCIDevice *dev)
+     LSIState *s = LSI53C895A(dev);
+ 
+     address_space_destroy(&s->pci_io_as);
++    timer_del(s->scripts_timer);
+ }
+ 
+ static void lsi_class_init(ObjectClass *klass, void *data)
+diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events
+index ab238293f0..131af99d91 100644
+--- a/hw/scsi/trace-events
++++ b/hw/scsi/trace-events
+@@ -299,6 +299,8 @@ lsi_execute_script_stop(void) "SCRIPTS execution stopped"
+ lsi_awoken(void) "Woken by SIGP"
+ lsi_reg_read(const char *name, int offset, uint8_t ret) "Read reg %s 0x%x = 0x%02x"
+ lsi_reg_write(const char *name, int offset, uint8_t val) "Write reg %s 0x%x = 0x%02x"
++lsi_scripts_timer_triggered(void) "SCRIPTS timer triggered"
++lsi_scripts_timer_start(void) "SCRIPTS timer started"
+ 
+ # virtio-scsi.c
+ virtio_scsi_cmd_req(int lun, uint32_t tag, uint8_t cmd) "virtio_scsi_cmd_req lun=%u tag=0x%x cmd=0x%x"

debian/patches/extra/0011-virtio-net-fix-map-leaking-on-error-during-receive.patch

@@ -1,38 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Tue, 8 Mar 2022 10:42:51 +0800
-Subject: [PATCH] virtio-net: fix map leaking on error during receive
-
-Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
-tries to fix the use after free of the sg by caching the virtqueue
-elements in an array and unmap them at once after receiving the
-packets, But it forgot to unmap the cached elements on error which
-will lead to leaking of mapping and other unexpected results.
-
-Fixing this by detaching the cached elements on error. This addresses
-CVE-2022-26353.
-
-Reported-by: Victor Tom <vv474172261@gmail.com>
-Cc: qemu-stable@nongnu.org
-Fixes: CVE-2022-26353
-Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-(cherry picked from commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- hw/net/virtio-net.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
-index f2014d5ea0..e1f4748831 100644
---- a/hw/net/virtio-net.c
-+++ b/hw/net/virtio-net.c
-@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
- 
- err:
-     for (j = 0; j < i; j++) {
-+        virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
-         g_free(elems[j]);
-     }
- 

debian/patches/extra/0012-e1000e-fix-link-state-on-resume.patch

@@ -0,0 +1,161 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Wed, 10 Apr 2024 08:43:33 +0300
+Subject: [PATCH] e1000e: fix link state on resume
+
+On resume e1000e_vm_state_change() always calls e1000e_autoneg_resume()
+that sets link_down to false, and thus activates the link even
+if we have disabled it.
+
+The problem can be reproduced starting qemu in paused state (-S) and
+then set the link to down. When we resume the machine the link appears
+to be up.
+
+Reproducer:
+
+   # qemu-system-x86_64 ... -device e1000e,netdev=netdev0,id=net0 -S
+
+   {"execute": "qmp_capabilities" }
+   {"execute": "set_link", "arguments": {"name": "net0", "up": false}}
+   {"execute": "cont" }
+
+To fix the problem, merge the content of e1000e_vm_state_change()
+into e1000e_core_post_load() as e1000 does.
+
+Buglink: https://issues.redhat.com/browse/RHEL-21867
+Fixes: 6f3fbe4ed06a ("net: Introduce e1000e device emulation")
+Suggested-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 4cadf10234989861398e19f3bb441d3861f3bb7c)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/net/e1000e_core.c | 60 ++++++--------------------------------------
+ hw/net/e1000e_core.h |  2 --
+ 2 files changed, 7 insertions(+), 55 deletions(-)
+
+diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
+index c71d82ce1d..742f5ec800 100644
+--- a/hw/net/e1000e_core.c
++++ b/hw/net/e1000e_core.c
+@@ -108,14 +108,6 @@ e1000e_intmgr_timer_resume(E1000IntrDelayTimer *timer)
+     }
+ }
+ 
+-static void
+-e1000e_intmgr_timer_pause(E1000IntrDelayTimer *timer)
+-{
+-    if (timer->running) {
+-        timer_del(timer->timer);
+-    }
+-}
+-
+ static inline void
+ e1000e_intrmgr_stop_timer(E1000IntrDelayTimer *timer)
+ {
+@@ -397,24 +389,6 @@ e1000e_intrmgr_resume(E1000ECore *core)
+     }
+ }
+ 
+-static void
+-e1000e_intrmgr_pause(E1000ECore *core)
+-{
+-    int i;
+-
+-    e1000e_intmgr_timer_pause(&core->radv);
+-    e1000e_intmgr_timer_pause(&core->rdtr);
+-    e1000e_intmgr_timer_pause(&core->raid);
+-    e1000e_intmgr_timer_pause(&core->tidv);
+-    e1000e_intmgr_timer_pause(&core->tadv);
+-
+-    e1000e_intmgr_timer_pause(&core->itr);
+-
+-    for (i = 0; i < E1000E_MSIX_VEC_NUM; i++) {
+-        e1000e_intmgr_timer_pause(&core->eitr[i]);
+-    }
+-}
+-
+ static void
+ e1000e_intrmgr_reset(E1000ECore *core)
+ {
+@@ -3336,12 +3310,6 @@ e1000e_core_read(E1000ECore *core, hwaddr addr, unsigned size)
+     return 0;
+ }
+ 
+-static inline void
+-e1000e_autoneg_pause(E1000ECore *core)
+-{
+-    timer_del(core->autoneg_timer);
+-}
+-
+ static void
+ e1000e_autoneg_resume(E1000ECore *core)
+ {
+@@ -3353,22 +3321,6 @@ e1000e_autoneg_resume(E1000ECore *core)
+     }
+ }
+ 
+-static void
+-e1000e_vm_state_change(void *opaque, bool running, RunState state)
+-{
+-    E1000ECore *core = opaque;
+-
+-    if (running) {
+-        trace_e1000e_vm_state_running();
+-        e1000e_intrmgr_resume(core);
+-        e1000e_autoneg_resume(core);
+-    } else {
+-        trace_e1000e_vm_state_stopped();
+-        e1000e_autoneg_pause(core);
+-        e1000e_intrmgr_pause(core);
+-    }
+-}
+-
+ void
+ e1000e_core_pci_realize(E1000ECore     *core,
+                         const uint16_t *eeprom_templ,
+@@ -3381,9 +3333,6 @@ e1000e_core_pci_realize(E1000ECore     *core,
+                                        e1000e_autoneg_timer, core);
+     e1000e_intrmgr_pci_realize(core);
+ 
+-    core->vmstate =
+-        qemu_add_vm_change_state_handler(e1000e_vm_state_change, core);
+-
+     for (i = 0; i < E1000E_NUM_QUEUES; i++) {
+         net_tx_pkt_init(&core->tx[i].tx_pkt, core->owner,
+                         E1000E_MAX_TX_FRAGS, core->has_vnet);
+@@ -3408,8 +3357,6 @@ e1000e_core_pci_uninit(E1000ECore *core)
+ 
+     e1000e_intrmgr_pci_unint(core);
+ 
+-    qemu_del_vm_change_state_handler(core->vmstate);
+-
+     for (i = 0; i < E1000E_NUM_QUEUES; i++) {
+         net_tx_pkt_reset(core->tx[i].tx_pkt);
+         net_tx_pkt_uninit(core->tx[i].tx_pkt);
+@@ -3561,5 +3508,12 @@ e1000e_core_post_load(E1000ECore *core)
+      */
+     nc->link_down = (core->mac[STATUS] & E1000_STATUS_LU) == 0;
+ 
++    /*
++     * we need to restart intrmgr timers, as an older version of
++     * QEMU can have stopped them before migration
++     */
++    e1000e_intrmgr_resume(core);
++    e1000e_autoneg_resume(core);
++
+     return 0;
+ }
+diff --git a/hw/net/e1000e_core.h b/hw/net/e1000e_core.h
+index 4ddb4d2c39..f2a8ff4a33 100644
+--- a/hw/net/e1000e_core.h
++++ b/hw/net/e1000e_core.h
+@@ -100,8 +100,6 @@ struct E1000Core {
+     E1000IntrDelayTimer eitr[E1000E_MSIX_VEC_NUM];
+     bool eitr_intr_pending[E1000E_MSIX_VEC_NUM];
+ 
+-    VMChangeStateEntry *vmstate;
+-
+     uint32_t itr_guest_value;
+     uint32_t eitr_guest_value[E1000E_MSIX_VEC_NUM];
+ 

debian/patches/extra/0012-memory-Fix-incorrect-calls-of-log_global_start-stop.patch

@@ -1,86 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Xu <peterx@redhat.com>
-Date: Tue, 30 Nov 2021 16:00:28 +0800
-Subject: [PATCH] memory: Fix incorrect calls of log_global_start/stop
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We should only call the log_global_start/stop when the global dirty track
-bitmask changes from zero<->non-zero.
-
-No real issue reported for this yet probably because no immediate user to
-enable both dirty rate measurement and migration at the same time.  However
-it'll be good to be prepared for it.
-
-Fixes: 63b41db4bc ("memory: make global_dirty_tracking a bitmask")
-Cc: qemu-stable@nongnu.org
-Cc: Hyman Huang <huangy81@chinatelecom.cn>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Cc: Juan Quintela <quintela@redhat.com>
-Cc: David Hildenbrand <david@redhat.com>
-Signed-off-by: Peter Xu <peterx@redhat.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Message-Id: <20211130080028.6474-1-peterx@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-(cherry picked from commit 7b0538ed3a22ce30817f818449d10701fb0821f9)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- softmmu/memory.c | 27 ++++++++++++++-------------
- 1 file changed, 14 insertions(+), 13 deletions(-)
-
-diff --git a/softmmu/memory.c b/softmmu/memory.c
-index 7340e19ff5..81d4bf1454 100644
---- a/softmmu/memory.c
-+++ b/softmmu/memory.c
-@@ -2773,6 +2773,8 @@ static VMChangeStateEntry *vmstate_change;
- 
- void memory_global_dirty_log_start(unsigned int flags)
- {
-+    unsigned int old_flags = global_dirty_tracking;
-+
-     if (vmstate_change) {
-         qemu_del_vm_change_state_handler(vmstate_change);
-         vmstate_change = NULL;
-@@ -2781,15 +2783,14 @@ void memory_global_dirty_log_start(unsigned int flags)
-     assert(flags && !(flags & (~GLOBAL_DIRTY_MASK)));
-     assert(!(global_dirty_tracking & flags));
-     global_dirty_tracking |= flags;
--
-     trace_global_dirty_changed(global_dirty_tracking);
- 
--    MEMORY_LISTENER_CALL_GLOBAL(log_global_start, Forward);
--
--    /* Refresh DIRTY_MEMORY_MIGRATION bit.  */
--    memory_region_transaction_begin();
--    memory_region_update_pending = true;
--    memory_region_transaction_commit();
-+    if (!old_flags) {
-+        MEMORY_LISTENER_CALL_GLOBAL(log_global_start, Forward);
-+        memory_region_transaction_begin();
-+        memory_region_update_pending = true;
-+        memory_region_transaction_commit();
-+    }
- }
- 
- static void memory_global_dirty_log_do_stop(unsigned int flags)
-@@ -2800,12 +2801,12 @@ static void memory_global_dirty_log_do_stop(unsigned int flags)
- 
-     trace_global_dirty_changed(global_dirty_tracking);
- 
--    /* Refresh DIRTY_MEMORY_MIGRATION bit.  */
--    memory_region_transaction_begin();
--    memory_region_update_pending = true;
--    memory_region_transaction_commit();
--
--    MEMORY_LISTENER_CALL_GLOBAL(log_global_stop, Reverse);
-+    if (!global_dirty_tracking) {
-+        memory_region_transaction_begin();
-+        memory_region_update_pending = true;
-+        memory_region_transaction_commit();
-+        MEMORY_LISTENER_CALL_GLOBAL(log_global_stop, Reverse);
-+    }
- }
- 
- static void memory_vm_change_state_handler(void *opaque, bool running,

debian/patches/extra/0013-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch

@@ -1,59 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Igor Mammedov <imammedo@redhat.com>
-Date: Wed, 12 Jan 2022 08:03:31 -0500
-Subject: [PATCH] acpi: fix OEM ID/OEM Table ID padding
-
-Commit [2] broke original '\0' padding of OEM ID and OEM Table ID
-fields in headers of ACPI tables. While it doesn't have impact on
-default values since QEMU uses 6 and 8 characters long values
-respectively, it broke usecase where IDs are provided on QEMU CLI.
-It shouldn't affect guest (but may cause licensing verification
-issues in guest OS).
-One of the broken usecases is user supplied SLIC table with IDs
-shorter than max possible length, where [2] mangles IDs with extra
-spaces in RSDT and FADT tables whereas guest OS expects those to
-mirror the respective values of the used SLIC table.
-
-Fix it by replacing whitespace padding with '\0' padding in
-accordance with [1] and expectations of guest OS
-
-1) ACPI spec, v2.0b
-       17.2 AML Grammar Definition
-       ...
-       //OEM ID of up to 6 characters. If the OEM ID is
-       //shorter than 6 characters, it can be terminated
-       //with a NULL character.
-
-2)
-Fixes: 602b458201 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/707
-Reported-by: Dmitry V. Orekhov <dima.orekhov@gmail.com>
-Signed-off-by: Igor Mammedov <imammedo@redhat.com>
-Cc: qemu-stable@nongnu.org
-Message-Id: <20220112130332.1648664-4-imammedo@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Ani Sinha <ani@anisinha.ca>
-Tested-by: Dmitry V. Orekhov dima.orekhov@gmail.com
-(cherry picked from commit 748c030f360a940fe0c9382c8ca1649096c3a80d)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- hw/acpi/aml-build.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
-index b3b3310df3..65148d5b9d 100644
---- a/hw/acpi/aml-build.c
-+++ b/hw/acpi/aml-build.c
-@@ -1724,9 +1724,9 @@ void acpi_table_begin(AcpiTable *desc, GArray *array)
-     build_append_int_noprefix(array, 0, 4); /* Length */
-     build_append_int_noprefix(array, desc->rev, 1); /* Revision */
-     build_append_int_noprefix(array, 0, 1); /* Checksum */
--    build_append_padded_str(array, desc->oem_id, 6, ' '); /* OEMID */
-+    build_append_padded_str(array, desc->oem_id, 6, '\0'); /* OEMID */
-     /* OEM Table ID */
--    build_append_padded_str(array, desc->oem_table_id, 8, ' ');
-+    build_append_padded_str(array, desc->oem_table_id, 8, '\0');
-     build_append_int_noprefix(array, 1, 4); /* OEM Revision */
-     g_array_append_vals(array, ACPI_BUILD_APPNAME8, 4); /* Creator ID */
-     build_append_int_noprefix(array, 1, 4); /* Creator Revision */

debian/patches/extra/0013-target-i386-introduce-function-to-query-MMU-indices.patch

@@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 10 Apr 2024 08:43:49 +0300
+Subject: [PATCH] target/i386: introduce function to query MMU indices
+
+Remove knowledge of specific MMU indexes (other than MMU_NESTED_IDX and
+MMU_PHYS_IDX) from mmu_translate().  This will make it possible to split
+32-bit and 64-bit MMU indexes.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 5f97afe2543f09160a8d123ab6e2e8c6d98fa9ce)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(Mjt: context fixup in target/i386/cpu.h due to other changes in that area)
+---
+ target/i386/cpu.h                    | 10 ++++++++++
+ target/i386/tcg/sysemu/excp_helper.c |  4 ++--
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index 7be047ce33..f175e18768 100644
+--- a/target/i386/cpu.h
++++ b/target/i386/cpu.h
+@@ -2195,6 +2195,16 @@ static inline int cpu_mmu_index(CPUX86State *env, bool ifetch)
+         ? MMU_KNOSMAP_IDX : MMU_KSMAP_IDX;
+ }
+ 
++static inline bool is_mmu_index_smap(int mmu_index)
++{
++    return mmu_index == MMU_KSMAP_IDX;
++}
++
++static inline bool is_mmu_index_user(int mmu_index)
++{
++    return mmu_index == MMU_USER_IDX;
++}
++
+ static inline bool is_mmu_index_32(int mmu_index)
+ {
+     assert(mmu_index < MMU_PHYS_IDX);
+diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/excp_helper.c
+index 5999cdedf5..553a60d976 100644
+--- a/target/i386/tcg/sysemu/excp_helper.c
++++ b/target/i386/tcg/sysemu/excp_helper.c
+@@ -135,7 +135,7 @@ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
+ {
+     const target_ulong addr = in->addr;
+     const int pg_mode = in->pg_mode;
+-    const bool is_user = (in->mmu_idx == MMU_USER_IDX);
++    const bool is_user = is_mmu_index_user(in->mmu_idx);
+     const MMUAccessType access_type = in->access_type;
+     uint64_t ptep, pte, rsvd_mask;
+     PTETranslate pte_trans = {
+@@ -355,7 +355,7 @@ do_check_protect_pse36:
+     }
+ 
+     int prot = 0;
+-    if (in->mmu_idx != MMU_KSMAP_IDX || !(ptep & PG_USER_MASK)) {
++    if (!is_mmu_index_smap(in->mmu_idx) || !(ptep & PG_USER_MASK)) {
+         prot |= PAGE_READ;
+         if ((ptep & PG_RW_MASK) || !(is_user || (pg_mode & PG_MODE_WP))) {
+             prot |= PAGE_WRITE;

debian/patches/extra/0014-target-i386-use-separate-MMU-indexes-for-32-bit-acce.patch

@@ -0,0 +1,130 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 10 Apr 2024 08:43:50 +0300
+Subject: [PATCH] target/i386: use separate MMU indexes for 32-bit accesses
+
+Accesses from a 32-bit environment (32-bit code segment for instruction
+accesses, EFER.LMA==0 for processor accesses) have to mask away the
+upper 32 bits of the address.  While a bit wasteful, the easiest way
+to do so is to use separate MMU indexes.  These days, QEMU anyway is
+compiled with a fixed value for NB_MMU_MODES.  Split MMU_USER_IDX,
+MMU_KSMAP_IDX and MMU_KNOSMAP_IDX in two.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 90f641531c782c873a05895f411c05fbbbef3c49)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(Mjt: move changes for x86_cpu_mmu_index() to cpu_mmu_index() due to missing
+ v8.2.0-1030-gace0c5fe5950 "target/i386: Populate CPUClass.mmu_index"
+ Increase NB_MMU_MODES from 5 to 8 in target/i386/cpu-param.h due to missing
+ v7.2.0-2640-gffd824f3f32d "include/exec: Set default NB_MMU_MODES to 16"
+ v7.2.0-2647-g6787318a5d86 "target/i386: Remove NB_MMU_MODES define"
+ which relaxed upper limit of MMU index for i386, since this commit starts
+ using MMU_NESTED_IDX=7.
+ Thanks Zhao Liu and Paolo Bonzini for the analisys and suggestions.
+)
+---
+ target/i386/cpu-param.h              |  2 +-
+ target/i386/cpu.h                    | 44 ++++++++++++++++++++--------
+ target/i386/tcg/sysemu/excp_helper.c |  3 +-
+ 3 files changed, 34 insertions(+), 15 deletions(-)
+
+diff --git a/target/i386/cpu-param.h b/target/i386/cpu-param.h
+index f579b16bd2..e21e472e1e 100644
+--- a/target/i386/cpu-param.h
++++ b/target/i386/cpu-param.h
+@@ -23,7 +23,7 @@
+ # define TARGET_VIRT_ADDR_SPACE_BITS  32
+ #endif
+ #define TARGET_PAGE_BITS 12
+-#define NB_MMU_MODES 5
++#define NB_MMU_MODES 8
+ 
+ #ifndef CONFIG_USER_ONLY
+ # define TARGET_TB_PCREL 1
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index f175e18768..73eee08f3f 100644
+--- a/target/i386/cpu.h
++++ b/target/i386/cpu.h
+@@ -2182,27 +2182,42 @@ uint64_t cpu_get_tsc(CPUX86State *env);
+ #define cpu_list x86_cpu_list
+ 
+ /* MMU modes definitions */
+-#define MMU_KSMAP_IDX   0
+-#define MMU_USER_IDX    1
+-#define MMU_KNOSMAP_IDX 2
+-#define MMU_NESTED_IDX  3
+-#define MMU_PHYS_IDX    4
++#define MMU_KSMAP64_IDX    0
++#define MMU_KSMAP32_IDX    1
++#define MMU_USER64_IDX     2
++#define MMU_USER32_IDX     3
++#define MMU_KNOSMAP64_IDX  4
++#define MMU_KNOSMAP32_IDX  5
++#define MMU_PHYS_IDX       6
++#define MMU_NESTED_IDX     7
++
++#ifdef CONFIG_USER_ONLY
++#ifdef TARGET_X86_64
++#define MMU_USER_IDX MMU_USER64_IDX
++#else
++#define MMU_USER_IDX MMU_USER32_IDX
++#endif
++#endif
+ 
+ static inline int cpu_mmu_index(CPUX86State *env, bool ifetch)
+ {
+-    return (env->hflags & HF_CPL_MASK) == 3 ? MMU_USER_IDX :
+-        (!(env->hflags & HF_SMAP_MASK) || (env->eflags & AC_MASK))
+-        ? MMU_KNOSMAP_IDX : MMU_KSMAP_IDX;
++    int mmu_index_32 = (env->hflags & HF_CS64_MASK) ? 1 : 0;
++    int mmu_index_base =
++        (env->hflags & HF_CPL_MASK) == 3 ? MMU_USER64_IDX :
++        !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP64_IDX :
++        (env->eflags & AC_MASK) ? MMU_KNOSMAP64_IDX : MMU_KSMAP64_IDX;
++
++    return mmu_index_base + mmu_index_32;
+ }
+ 
+ static inline bool is_mmu_index_smap(int mmu_index)
+ {
+-    return mmu_index == MMU_KSMAP_IDX;
++    return (mmu_index & ~1) == MMU_KSMAP64_IDX;
+ }
+ 
+ static inline bool is_mmu_index_user(int mmu_index)
+ {
+-    return mmu_index == MMU_USER_IDX;
++    return (mmu_index & ~1) == MMU_USER64_IDX;
+ }
+ 
+ static inline bool is_mmu_index_32(int mmu_index)
+@@ -2213,9 +2228,12 @@ static inline bool is_mmu_index_32(int mmu_index)
+ 
+ static inline int cpu_mmu_index_kernel(CPUX86State *env)
+ {
+-    return !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP_IDX :
+-        ((env->hflags & HF_CPL_MASK) < 3 && (env->eflags & AC_MASK))
+-        ? MMU_KNOSMAP_IDX : MMU_KSMAP_IDX;
++    int mmu_index_32 = (env->hflags & HF_LMA_MASK) ? 1 : 0;
++    int mmu_index_base =
++        !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP64_IDX :
++        ((env->hflags & HF_CPL_MASK) < 3 && (env->eflags & AC_MASK)) ? MMU_KNOSMAP64_IDX : MMU_KSMAP64_IDX;
++
++    return mmu_index_base + mmu_index_32;
+ }
+ 
+ #define CC_DST  (env->cc_dst)
+diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/excp_helper.c
+index 553a60d976..5f13252d68 100644
+--- a/target/i386/tcg/sysemu/excp_helper.c
++++ b/target/i386/tcg/sysemu/excp_helper.c
+@@ -541,7 +541,8 @@ static bool get_physical_address(CPUX86State *env, vaddr addr,
+         if (likely(use_stage2)) {
+             in.cr3 = env->nested_cr3;
+             in.pg_mode = env->nested_pg_mode;
+-            in.mmu_idx = MMU_USER_IDX;
++            in.mmu_idx =
++                env->nested_pg_mode & PG_MODE_LMA ? MMU_USER64_IDX : MMU_USER32_IDX;
+             in.ptw_idx = MMU_PHYS_IDX;
+ 
+             if (!mmu_translate(env, &in, out, err)) {

debian/patches/extra/0014-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch

@@ -1,55 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stefano Garzarella <sgarzare@redhat.com>
-Date: Mon, 28 Feb 2022 10:50:58 +0100
-Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error
-
-In vhost_vsock_common_send_transport_reset(), if an element popped from
-the virtqueue is invalid, we should call virtqueue_detach_element() to
-detach it from the virtqueue before freeing its memory.
-
-Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
-Fixes: CVE-2022-26354
-Cc: qemu-stable@nongnu.org
-Reported-by: VictorV <vv474172261@gmail.com>
-Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
-Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry picked from commit 8d1b247f3748ac4078524130c6d7ae42b6140aaf)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- hw/virtio/vhost-vsock-common.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c
-index 3f3771274e..ed706681ac 100644
---- a/hw/virtio/vhost-vsock-common.c
-+++ b/hw/virtio/vhost-vsock-common.c
-@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc)
-     if (elem->out_num) {
-         error_report("invalid vhost-vsock event virtqueue element with "
-                      "out buffers");
--        goto out;
-+        goto err;
-     }
- 
-     if (iov_from_buf(elem->in_sg, elem->in_num, 0,
-                      &event, sizeof(event)) != sizeof(event)) {
-         error_report("vhost-vsock event virtqueue element is too short");
--        goto out;
-+        goto err;
-     }
- 
-     virtqueue_push(vq, elem, sizeof(event));
-     virtio_notify(VIRTIO_DEVICE(vvc), vq);
- 
--out:
-+    g_free(elem);
-+    return;
-+
-+err:
-+    virtqueue_detach_element(vq, elem, 0);
-     g_free(elem);
- }
- 

debian/patches/extra/0015-target-i386-fix-direction-of-32-bit-MMU-test.patch

@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 10 Apr 2024 08:43:51 +0300
+Subject: [PATCH] target/i386: fix direction of "32-bit MMU" test
+
+The low bit of MMU indices for x86 TCG indicates whether the processor is
+in 32-bit mode and therefore linear addresses have to be masked to 32 bits.
+However, the index was computed incorrectly, leading to possible conflicts
+in the TLB for any address above 4G.
+
+Analyzed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Fixes: b1661801c18 ("target/i386: Fix physical address truncation", 2024-02-28)
+Fixes: 1c15f97b4f1 ("target/i386: Fix physical address truncation" in stable-7.2)
+Cc: qemu-stable@nongnu.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2206
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 2cc68629a6fc198f4a972698bdd6477f883aedfb)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(Mjt: move changes for x86_cpu_mmu_index() to cpu_mmu_index() due to missing
+ v8.2.0-1030-gace0c5fe59 "target/i386: Populate CPUClass.mmu_index")
+---
+ target/i386/cpu.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index 73eee08f3f..326649ca99 100644
+--- a/target/i386/cpu.h
++++ b/target/i386/cpu.h
+@@ -2201,7 +2201,7 @@ uint64_t cpu_get_tsc(CPUX86State *env);
+ 
+ static inline int cpu_mmu_index(CPUX86State *env, bool ifetch)
+ {
+-    int mmu_index_32 = (env->hflags & HF_CS64_MASK) ? 1 : 0;
++    int mmu_index_32 = (env->hflags & HF_CS64_MASK) ? 0 : 1;
+     int mmu_index_base =
+         (env->hflags & HF_CPL_MASK) == 3 ? MMU_USER64_IDX :
+         !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP64_IDX :
+@@ -2228,7 +2228,7 @@ static inline bool is_mmu_index_32(int mmu_index)
+ 
+ static inline int cpu_mmu_index_kernel(CPUX86State *env)
+ {
+-    int mmu_index_32 = (env->hflags & HF_LMA_MASK) ? 1 : 0;
++    int mmu_index_32 = (env->hflags & HF_LMA_MASK) ? 0 : 1;
+     int mmu_index_base =
+         !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP64_IDX :
+         ((env->hflags & HF_CPL_MASK) < 3 && (env->eflags & AC_MASK)) ? MMU_KNOSMAP64_IDX : MMU_KSMAP64_IDX;

debian/patches/extra/0015-vhost-user-remove-VirtQ-notifier-restore.patch

@@ -1,98 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Xueming Li <xuemingl@nvidia.com>
-Date: Mon, 7 Feb 2022 15:19:28 +0800
-Subject: [PATCH] vhost-user: remove VirtQ notifier restore
-
-Notifier set when vhost-user backend asks qemu to mmap an FD and
-offset. When vhost-user backend restart or getting killed, VQ notifier
-FD and mmap addresses become invalid. After backend restart, MR contains
-the invalid address will be restored and fail on notifier access.
-
-On the other hand, qemu should munmap the notifier, release underlying
-hardware resources to enable backend restart and allocate hardware
-notifier resources correctly.
-
-Qemu shouldn't reference and use resources of disconnected backend.
-
-This patch removes VQ notifier restore, uses the default vhost-user
-notifier to avoid invalid address access.
-
-After backend restart, the backend should ask qemu to install a hardware
-notifier if needed.
-
-Fixes: 44866521bd6e ("vhost-user: support registering external host notifiers")
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Xueming Li <xuemingl@nvidia.com>
-Message-Id: <20220207071929.527149-2-xuemingl@nvidia.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry picked from commit e867144b73b3c5009266b6df07d5ff44acfb82c3)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- hw/virtio/vhost-user.c         | 19 +------------------
- include/hw/virtio/vhost-user.h |  1 -
- 2 files changed, 1 insertion(+), 19 deletions(-)
-
-diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
-index bf6e50223c..c671719e9b 100644
---- a/hw/virtio/vhost-user.c
-+++ b/hw/virtio/vhost-user.c
-@@ -1143,19 +1143,6 @@ static int vhost_user_set_vring_num(struct vhost_dev *dev,
-     return vhost_set_vring(dev, VHOST_USER_SET_VRING_NUM, ring);
- }
- 
--static void vhost_user_host_notifier_restore(struct vhost_dev *dev,
--                                             int queue_idx)
--{
--    struct vhost_user *u = dev->opaque;
--    VhostUserHostNotifier *n = &u->user->notifier[queue_idx];
--    VirtIODevice *vdev = dev->vdev;
--
--    if (n->addr && !n->set) {
--        virtio_queue_set_host_notifier_mr(vdev, queue_idx, &n->mr, true);
--        n->set = true;
--    }
--}
--
- static void vhost_user_host_notifier_remove(struct vhost_dev *dev,
-                                             int queue_idx)
- {
-@@ -1163,17 +1150,14 @@ static void vhost_user_host_notifier_remove(struct vhost_dev *dev,
-     VhostUserHostNotifier *n = &u->user->notifier[queue_idx];
-     VirtIODevice *vdev = dev->vdev;
- 
--    if (n->addr && n->set) {
-+    if (n->addr) {
-         virtio_queue_set_host_notifier_mr(vdev, queue_idx, &n->mr, false);
--        n->set = false;
-     }
- }
- 
- static int vhost_user_set_vring_base(struct vhost_dev *dev,
-                                      struct vhost_vring_state *ring)
- {
--    vhost_user_host_notifier_restore(dev, ring->index);
--
-     return vhost_set_vring(dev, VHOST_USER_SET_VRING_BASE, ring);
- }
- 
-@@ -1538,7 +1522,6 @@ static int vhost_user_slave_handle_vring_host_notifier(struct vhost_dev *dev,
-     }
- 
-     n->addr = addr;
--    n->set = true;
- 
-     return 0;
- }
-diff --git a/include/hw/virtio/vhost-user.h b/include/hw/virtio/vhost-user.h
-index a9abca3288..f6012b2078 100644
---- a/include/hw/virtio/vhost-user.h
-+++ b/include/hw/virtio/vhost-user.h
-@@ -14,7 +14,6 @@
- typedef struct VhostUserHostNotifier {
-     MemoryRegion mr;
-     void *addr;
--    bool set;
- } VhostUserHostNotifier;
- 
- typedef struct VhostUserState {

debian/patches/extra/0016-target-i386-Revert-monitor_puts-in-do_inject_x86_mce.patch

@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tao Su <tao1.su@linux.intel.com>
+Date: Wed, 10 Apr 2024 08:43:52 +0300
+Subject: [PATCH] target/i386: Revert monitor_puts() in do_inject_x86_mce()
+
+monitor_puts() doesn't check the monitor pointer, but do_inject_x86_mce()
+may have a parameter with NULL monitor pointer. Revert monitor_puts() in
+do_inject_x86_mce() to fix, then the fact that we send the same message to
+monitor and log is again more obvious.
+
+Fixes: bf0c50d4aa85 (monitor: expose monitor_puts to rest of code)
+Reviwed-by: Xiaoyao Li <xiaoyao.li@intel.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Tao Su <tao1.su@linux.intel.com>
+Message-ID: <20240320083640.523287-1-tao1.su@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 7fd226b04746f0be0b636de5097f1b42338951a0)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ target/i386/helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/helper.c b/target/i386/helper.c
+index 0ac2da066d..290d9d309c 100644
+--- a/target/i386/helper.c
++++ b/target/i386/helper.c
+@@ -427,7 +427,7 @@ static void do_inject_x86_mce(CPUState *cs, run_on_cpu_data data)
+         if (need_reset) {
+             emit_guest_memory_failure(MEMORY_FAILURE_ACTION_RESET, ar,
+                                       recursive);
+-            monitor_puts(params->mon, msg);
++            monitor_printf(params->mon, "%s", msg);
+             qemu_log_mask(CPU_LOG_RESET, "%s\n", msg);
+             qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
+             return;

debian/patches/extra/0016-vhost-user-fix-VirtQ-notifier-cleanup.patch

@@ -1,149 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Xueming Li <xuemingl@nvidia.com>
-Date: Mon, 7 Feb 2022 15:19:29 +0800
-Subject: [PATCH] vhost-user: fix VirtQ notifier cleanup
-
-When vhost-user device cleanup, remove notifier MR and munmaps notifier
-address in the event-handling thread, VM CPU thread writing the notifier
-in concurrent fails with an error of accessing invalid address. It
-happens because MR is still being referenced and accessed in another
-thread while the underlying notifier mmap address is being freed and
-becomes invalid.
-
-This patch calls RCU and munmap notifiers in the callback after the
-memory flatview update finish.
-
-Fixes: 44866521bd6e ("vhost-user: support registering external host notifiers")
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Xueming Li <xuemingl@nvidia.com>
-Message-Id: <20220207071929.527149-3-xuemingl@nvidia.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry picked from commit 0b0af4d62f7002b31cd7b2762b26d2fcb76bb2ba)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- hw/virtio/vhost-user.c         | 48 ++++++++++++++++++++--------------
- include/hw/virtio/vhost-user.h |  2 ++
- 2 files changed, 31 insertions(+), 19 deletions(-)
-
-diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
-index c671719e9b..ed5f9a5471 100644
---- a/hw/virtio/vhost-user.c
-+++ b/hw/virtio/vhost-user.c
-@@ -25,6 +25,7 @@
- #include "migration/migration.h"
- #include "migration/postcopy-ram.h"
- #include "trace.h"
-+#include "exec/ramblock.h"
- 
- #include <sys/ioctl.h>
- #include <sys/socket.h>
-@@ -1143,15 +1144,26 @@ static int vhost_user_set_vring_num(struct vhost_dev *dev,
-     return vhost_set_vring(dev, VHOST_USER_SET_VRING_NUM, ring);
- }
- 
--static void vhost_user_host_notifier_remove(struct vhost_dev *dev,
--                                            int queue_idx)
-+static void vhost_user_host_notifier_free(VhostUserHostNotifier *n)
- {
--    struct vhost_user *u = dev->opaque;
--    VhostUserHostNotifier *n = &u->user->notifier[queue_idx];
--    VirtIODevice *vdev = dev->vdev;
-+    assert(n && n->unmap_addr);
-+    munmap(n->unmap_addr, qemu_real_host_page_size);
-+    n->unmap_addr = NULL;
-+}
-+
-+static void vhost_user_host_notifier_remove(VhostUserState *user,
-+                                            VirtIODevice *vdev, int queue_idx)
-+{
-+    VhostUserHostNotifier *n = &user->notifier[queue_idx];
- 
-     if (n->addr) {
--        virtio_queue_set_host_notifier_mr(vdev, queue_idx, &n->mr, false);
-+        if (vdev) {
-+            virtio_queue_set_host_notifier_mr(vdev, queue_idx, &n->mr, false);
-+        }
-+        assert(!n->unmap_addr);
-+        n->unmap_addr = n->addr;
-+        n->addr = NULL;
-+        call_rcu(n, vhost_user_host_notifier_free, rcu);
-     }
- }
- 
-@@ -1190,8 +1202,9 @@ static int vhost_user_get_vring_base(struct vhost_dev *dev,
-         .payload.state = *ring,
-         .hdr.size = sizeof(msg.payload.state),
-     };
-+    struct vhost_user *u = dev->opaque;
- 
--    vhost_user_host_notifier_remove(dev, ring->index);
-+    vhost_user_host_notifier_remove(u->user, dev->vdev, ring->index);
- 
-     if (vhost_user_write(dev, &msg, NULL, 0) < 0) {
-         return -1;
-@@ -1486,12 +1499,7 @@ static int vhost_user_slave_handle_vring_host_notifier(struct vhost_dev *dev,
- 
-     n = &user->notifier[queue_idx];
- 
--    if (n->addr) {
--        virtio_queue_set_host_notifier_mr(vdev, queue_idx, &n->mr, false);
--        object_unparent(OBJECT(&n->mr));
--        munmap(n->addr, page_size);
--        n->addr = NULL;
--    }
-+    vhost_user_host_notifier_remove(user, vdev, queue_idx);
- 
-     if (area->u64 & VHOST_USER_VRING_NOFD_MASK) {
-         return 0;
-@@ -1510,9 +1518,12 @@ static int vhost_user_slave_handle_vring_host_notifier(struct vhost_dev *dev,
- 
-     name = g_strdup_printf("vhost-user/host-notifier@%p mmaps[%d]",
-                            user, queue_idx);
--    if (!n->mr.ram) /* Don't init again after suspend. */
-+    if (!n->mr.ram) { /* Don't init again after suspend. */
-         memory_region_init_ram_device_ptr(&n->mr, OBJECT(vdev), name,
-                                           page_size, addr);
-+    } else {
-+        n->mr.ram_block->host = addr;
-+    }
-     g_free(name);
- 
-     if (virtio_queue_set_host_notifier_mr(vdev, queue_idx, &n->mr, true)) {
-@@ -2460,17 +2471,16 @@ bool vhost_user_init(VhostUserState *user, CharBackend *chr, Error **errp)
- void vhost_user_cleanup(VhostUserState *user)
- {
-     int i;
-+    VhostUserHostNotifier *n;
- 
-     if (!user->chr) {
-         return;
-     }
-     memory_region_transaction_begin();
-     for (i = 0; i < VIRTIO_QUEUE_MAX; i++) {
--        if (user->notifier[i].addr) {
--            object_unparent(OBJECT(&user->notifier[i].mr));
--            munmap(user->notifier[i].addr, qemu_real_host_page_size);
--            user->notifier[i].addr = NULL;
--        }
-+        n = &user->notifier[i];
-+        vhost_user_host_notifier_remove(user, NULL, i);
-+        object_unparent(OBJECT(&n->mr));
-     }
-     memory_region_transaction_commit();
-     user->chr = NULL;
-diff --git a/include/hw/virtio/vhost-user.h b/include/hw/virtio/vhost-user.h
-index f6012b2078..e44a41bb70 100644
---- a/include/hw/virtio/vhost-user.h
-+++ b/include/hw/virtio/vhost-user.h
-@@ -12,8 +12,10 @@
- #include "hw/virtio/virtio.h"
- 
- typedef struct VhostUserHostNotifier {
-+    struct rcu_head rcu;
-     MemoryRegion mr;
-     void *addr;
-+    void *unmap_addr;
- } VhostUserHostNotifier;
- 
- typedef struct VhostUserState {

debian/patches/extra/0017-tcg-optimize-Fix-sign_mask-for-logical-right-shift.patch

@@ -0,0 +1,86 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Wed, 10 Apr 2024 08:43:57 +0300
+Subject: [PATCH] tcg/optimize: Fix sign_mask for logical right-shift
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The 'sign' computation is attempting to locate the sign bit that has
+been repeated, so that we can test if that bit is known zero.  That
+computation can be zero if there are no known sign repetitions.
+
+Cc: qemu-stable@nongnu.org
+Fixes: 93a967fbb57 ("tcg/optimize: Propagate sign info for shifting")
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2248
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+(cherry picked from commit 2911e9b95f3bb03783ae5ca3e2494dc3b44a9161)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(Mjt: trivial context fixup in tests/tcg/aarch64/Makefile.target)
+---
+ tcg/optimize.c                    |  2 +-
+ tests/tcg/aarch64/Makefile.target |  1 +
+ tests/tcg/aarch64/test-2248.c     | 28 ++++++++++++++++++++++++++++
+ 3 files changed, 30 insertions(+), 1 deletion(-)
+ create mode 100644 tests/tcg/aarch64/test-2248.c
+
+diff --git a/tcg/optimize.c b/tcg/optimize.c
+index ae081ab29c..b6f6436c74 100644
+--- a/tcg/optimize.c
++++ b/tcg/optimize.c
+@@ -1907,7 +1907,7 @@ static bool fold_shift(OptContext *ctx, TCGOp *op)
+          * will not reduced the number of input sign repetitions.
+          */
+         sign = (s_mask & -s_mask) >> 1;
+-        if (!(z_mask & sign)) {
++        if (sign && !(z_mask & sign)) {
+             ctx->s_mask = s_mask;
+         }
+         break;
+diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
+index 5e4ea7c998..474f61bc30 100644
+--- a/tests/tcg/aarch64/Makefile.target
++++ b/tests/tcg/aarch64/Makefile.target
+@@ -10,6 +10,7 @@ VPATH 		+= $(AARCH64_SRC)
+ 
+ # Base architecture tests
+ AARCH64_TESTS=fcvt pcalign-a64
++AARCH64_TESTS += test-2248
+ 
+ fcvt: LDFLAGS+=-lm
+ 
+diff --git a/tests/tcg/aarch64/test-2248.c b/tests/tcg/aarch64/test-2248.c
+new file mode 100644
+index 0000000000..aac2e17836
+--- /dev/null
++++ b/tests/tcg/aarch64/test-2248.c
+@@ -0,0 +1,28 @@
++/* SPDX-License-Identifier: GPL-2.0-or-later */
++/* See https://gitlab.com/qemu-project/qemu/-/issues/2248 */
++
++#include <assert.h>
++
++__attribute__((noinline))
++long test(long x, long y, long sh)
++{
++    long r;
++    asm("cmp   %1, %2\n\t"
++        "cset  x12, lt\n\t"
++        "and   w11, w12, #0xff\n\t"
++        "cmp   w11, #0\n\t"
++        "csetm x14, ne\n\t"
++        "lsr   x13, x14, %3\n\t"
++        "sxtb  %0, w13"
++        : "=r"(r)
++        : "r"(x), "r"(y), "r"(sh)
++        : "x11", "x12", "x13", "x14");
++    return r;
++}
++
++int main()
++{
++    long r = test(0, 1, 2);
++    assert(r == -1);
++    return 0;
++}

debian/patches/extra/0017-virtio-fix-the-condition-for-iommu_platform-not-supp.patch

@@ -1,101 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Halil Pasic <pasic@linux.ibm.com>
-Date: Mon, 7 Feb 2022 12:28:57 +0100
-Subject: [PATCH] virtio: fix the condition for iommu_platform not supported
-
-The commit 04ceb61a40 ("virtio: Fail if iommu_platform is requested, but
-unsupported") claims to fail the device hotplug when iommu_platform
-is requested, but not supported by the (vhost) device. On the first
-glance the condition for detecting that situation looks perfect, but
-because a certain peculiarity of virtio_platform it ain't.
-
-In fact the aforementioned commit introduces a regression. It breaks
-virtio-fs support for Secure Execution, and most likely also for AMD SEV
-or any other confidential guest scenario that relies encrypted guest
-memory.  The same also applies to any other vhost device that does not
-support _F_ACCESS_PLATFORM.
-
-The peculiarity is that iommu_platform and _F_ACCESS_PLATFORM collates
-"device can not access all of the guest RAM" and "iova != gpa, thus
-device needs to translate iova".
-
-Confidential guest technologies currently rely on the device/hypervisor
-offering _F_ACCESS_PLATFORM, so that, after the feature has been
-negotiated, the guest  grants access to the portions of memory the
-device needs to see. So in for confidential guests, generally,
-_F_ACCESS_PLATFORM is about the restricted access to memory, but not
-about the addresses used being something else than guest physical
-addresses.
-
-This is the very reason for which commit f7ef7e6e3b ("vhost: correctly
-turn on VIRTIO_F_IOMMU_PLATFORM") fences _F_ACCESS_PLATFORM from the
-vhost device that does not need it, because on the vhost interface it
-only means "I/O address translation is needed".
-
-This patch takes inspiration from f7ef7e6e3b ("vhost: correctly turn on
-VIRTIO_F_IOMMU_PLATFORM"), and uses the same condition for detecting the
-situation when _F_ACCESS_PLATFORM is requested, but no I/O translation
-by the device, and thus no device capability is needed. In this
-situation claiming that the device does not support iommu_plattform=on
-is counter-productive. So let us stop doing that!
-
-Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
-Reported-by: Jakob Naucke <Jakob.Naucke@ibm.com>
-Fixes: 04ceb61a40 ("virtio: Fail if iommu_platform is requested, but
-unsupported")
-Acked-by: Cornelia Huck <cohuck@redhat.com>
-Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
-Tested-by: Daniel Henrique Barboza <danielhb413@gmail.com>
-Cc: Kevin Wolf <kwolf@redhat.com>
-Cc: qemu-stable@nongnu.org
-
-Message-Id: <20220207112857.607829-1-pasic@linux.ibm.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Acked-by: Jason Wang <jasowang@redhat.com>
-(cherry picked from commit e65902a913bf31ba79a83a3bd3621108b85cf645)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- hw/virtio/virtio-bus.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/hw/virtio/virtio-bus.c b/hw/virtio/virtio-bus.c
-index d23db98c56..0f69d1c742 100644
---- a/hw/virtio/virtio-bus.c
-+++ b/hw/virtio/virtio-bus.c
-@@ -48,6 +48,7 @@ void virtio_bus_device_plugged(VirtIODevice *vdev, Error **errp)
-     VirtioBusClass *klass = VIRTIO_BUS_GET_CLASS(bus);
-     VirtioDeviceClass *vdc = VIRTIO_DEVICE_GET_CLASS(vdev);
-     bool has_iommu = virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM);
-+    bool vdev_has_iommu;
-     Error *local_err = NULL;
- 
-     DPRINTF("%s: plug device.\n", qbus->name);
-@@ -69,11 +70,6 @@ void virtio_bus_device_plugged(VirtIODevice *vdev, Error **errp)
-         return;
-     }
- 
--    if (has_iommu && !virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM)) {
--        error_setg(errp, "iommu_platform=true is not supported by the device");
--        return;
--    }
--
-     if (klass->device_plugged != NULL) {
-         klass->device_plugged(qbus->parent, &local_err);
-     }
-@@ -82,9 +78,15 @@ void virtio_bus_device_plugged(VirtIODevice *vdev, Error **errp)
-         return;
-     }
- 
-+    vdev_has_iommu = virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM);
-     if (klass->get_dma_as != NULL && has_iommu) {
-         virtio_add_feature(&vdev->host_features, VIRTIO_F_IOMMU_PLATFORM);
-         vdev->dma_as = klass->get_dma_as(qbus->parent);
-+        if (!vdev_has_iommu && vdev->dma_as != &address_space_memory) {
-+            error_setg(errp,
-+                       "iommu_platform=true is not supported by the device");
-+            return;
-+        }
-     } else {
-         vdev->dma_as = &address_space_memory;
-     }

debian/patches/extra/0018-block-gluster-correctly-set-max_pdiscard-which-is-in.patch

@@ -1,38 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fabian Ebner <f.ebner@proxmox.com>
-Date: Fri, 6 May 2022 14:38:35 +0200
-Subject: [PATCH] block/gluster: correctly set max_pdiscard which is int64_t
-
-Previously, max_pdiscard would be zero in the following assertion:
-qemu-system-x86_64: ../block/io.c:3166: bdrv_co_pdiscard: Assertion
-`max_pdiscard >= bs->bl.request_alignment' failed.
-
-Fixes: 0c8022876f ("block: use int64_t instead of int in driver discard handlers")
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- block/gluster.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/block/gluster.c b/block/gluster.c
-index 398976bc66..592e71b22a 100644
---- a/block/gluster.c
-+++ b/block/gluster.c
-@@ -891,7 +891,7 @@ out:
- static void qemu_gluster_refresh_limits(BlockDriverState *bs, Error **errp)
- {
-     bs->bl.max_transfer = GLUSTER_MAX_TRANSFER;
--    bs->bl.max_pdiscard = SIZE_MAX;
-+    bs->bl.max_pdiscard = INT64_MAX;
- }
- 
- static int qemu_gluster_reopen_prepare(BDRVReopenState *state,
-@@ -1304,7 +1304,7 @@ static coroutine_fn int qemu_gluster_co_pdiscard(BlockDriverState *bs,
-     GlusterAIOCB acb;
-     BDRVGlusterState *s = bs->opaque;
- 
--    assert(bytes <= SIZE_MAX); /* rely on max_pdiscard */
-+    assert(bytes <= INT64_MAX); /* rely on max_pdiscard */
- 
-     acb.size = 0;
-     acb.ret = 0;

debian/patches/extra/0018-hw-virtio-Fix-packed-virtqueue-flush-used_idx.patch

@@ -0,0 +1,66 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wafer <wafer@jaguarmicro.com>
+Date: Wed, 10 Apr 2024 08:44:02 +0300
+Subject: [PATCH] hw/virtio: Fix packed virtqueue flush used_idx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In the event of writing many chains of descriptors, the device must
+write just the id of the last buffer in the descriptor chain, skip
+forward the number of descriptors in the chain, and then repeat the
+operations for the rest of chains.
+
+Current QEMU code writes all the buffer ids consecutively, and then
+skips all the buffers altogether. This is a bug, and can be reproduced
+with a VirtIONet device with _F_MRG_RXBUB and without
+_F_INDIRECT_DESC:
+
+If a virtio-net device has the VIRTIO_NET_F_MRG_RXBUF feature
+but not the VIRTIO_RING_F_INDIRECT_DESC feature,
+'VirtIONetQueue->rx_vq' will use the merge feature
+to store data in multiple 'elems'.
+The 'num_buffers' in the virtio header indicates how many elements are merged.
+If the value of 'num_buffers' is greater than 1,
+all the merged elements will be filled into the descriptor ring.
+The 'idx' of the elements should be the value of 'vq->used_idx' plus 'ndescs'.
+
+Fixes: 86044b24e8 ("virtio: basic packed virtqueue support")
+Acked-by: Eugenio Pérez <eperezma@redhat.com>
+Signed-off-by: Wafer <wafer@jaguarmicro.com>
+Message-Id: <20240407015451.5228-2-wafer@jaguarmicro.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit 2d9a31b3c27311eca1682cb2c076d7a300441960)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/virtio/virtio.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index b7da7f074d..e4f8ed1e63 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -1367,12 +1367,20 @@ static void virtqueue_packed_flush(VirtQueue *vq, unsigned int count)
+         return;
+     }
+ 
++    /*
++     * For indirect element's 'ndescs' is 1.
++     * For all other elemment's 'ndescs' is the
++     * number of descriptors chained by NEXT (as set in virtqueue_packed_pop).
++     * So When the 'elem' be filled into the descriptor ring,
++     * The 'idx' of this 'elem' shall be
++     * the value of 'vq->used_idx' plus the 'ndescs'.
++     */
++    ndescs += vq->used_elems[0].ndescs;
+     for (i = 1; i < count; i++) {
+-        virtqueue_packed_fill_desc(vq, &vq->used_elems[i], i, false);
++        virtqueue_packed_fill_desc(vq, &vq->used_elems[i], ndescs, false);
+         ndescs += vq->used_elems[i].ndescs;
+     }
+     virtqueue_packed_fill_desc(vq, &vq->used_elems[0], 0, true);
+-    ndescs += vq->used_elems[0].ndescs;
+ 
+     vq->inuse -= ndescs;
+     vq->used_idx += ndescs;

debian/patches/extra/0019-ui-vnc.c-Fixed-a-deadlock-bug.patch

@@ -1,72 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Rao Lei <lei.rao@intel.com>
-Date: Fri, 6 May 2022 14:38:36 +0200
-Subject: [PATCH] ui/vnc.c: Fixed a deadlock bug.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The GDB statck is as follows:
-(gdb) bt
-0  __lll_lock_wait (futex=futex@entry=0x56211df20360, private=0) at lowlevellock.c:52
-1  0x00007f263caf20a3 in __GI___pthread_mutex_lock (mutex=0x56211df20360) at ../nptl/pthread_mutex_lock.c:80
-2  0x000056211a757364 in qemu_mutex_lock_impl (mutex=0x56211df20360, file=0x56211a804857 "../ui/vnc-jobs.h", line=60)
-    at ../util/qemu-thread-posix.c:80
-3  0x000056211a0ef8c7 in vnc_lock_output (vs=0x56211df14200) at ../ui/vnc-jobs.h:60
-4  0x000056211a0efcb7 in vnc_clipboard_send (vs=0x56211df14200, count=1, dwords=0x7ffdf1701338) at ../ui/vnc-clipboard.c:138
-5  0x000056211a0f0129 in vnc_clipboard_notify (notifier=0x56211df244c8, data=0x56211dd1bbf0) at ../ui/vnc-clipboard.c:209
-6  0x000056211a75dde8 in notifier_list_notify (list=0x56211afa17d0 <clipboard_notifiers>, data=0x56211dd1bbf0) at ../util/notify.c:39
-7  0x000056211a0bf0e6 in qemu_clipboard_update (info=0x56211dd1bbf0) at ../ui/clipboard.c:50
-8  0x000056211a0bf05d in qemu_clipboard_peer_release (peer=0x56211df244c0, selection=QEMU_CLIPBOARD_SELECTION_CLIPBOARD)
-    at ../ui/clipboard.c:41
-9  0x000056211a0bef9b in qemu_clipboard_peer_unregister (peer=0x56211df244c0) at ../ui/clipboard.c:19
-10 0x000056211a0d45f3 in vnc_disconnect_finish (vs=0x56211df14200) at ../ui/vnc.c:1358
-11 0x000056211a0d4c9d in vnc_client_read (vs=0x56211df14200) at ../ui/vnc.c:1611
-12 0x000056211a0d4df8 in vnc_client_io (ioc=0x56211ce70690, condition=G_IO_IN, opaque=0x56211df14200) at ../ui/vnc.c:1649
-13 0x000056211a5b976c in qio_channel_fd_source_dispatch
-    (source=0x56211ce50a00, callback=0x56211a0d4d71 <vnc_client_io>, user_data=0x56211df14200) at ../io/channel-watch.c:84
-14 0x00007f263ccede8e in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
-15 0x000056211a77d4a1 in glib_pollfds_poll () at ../util/main-loop.c:232
-16 0x000056211a77d51f in os_host_main_loop_wait (timeout=958545) at ../util/main-loop.c:255
-17 0x000056211a77d630 in main_loop_wait (nonblocking=0) at ../util/main-loop.c:531
-18 0x000056211a45bc8e in qemu_main_loop () at ../softmmu/runstate.c:726
-19 0x000056211a0b45fa in main (argc=69, argv=0x7ffdf1701778, envp=0x7ffdf17019a8) at ../softmmu/main.c:50
-
-From the call trace, we can see it is a deadlock bug.
-vnc_disconnect_finish will acquire the output_mutex.
-But, the output_mutex will be acquired again in vnc_clipboard_send.
-Repeated locking will cause deadlock. So, I move
-qemu_clipboard_peer_unregister() behind vnc_unlock_output();
-
-Fixes: 0bf41cab93e ("ui/vnc: clipboard support")
-Signed-off-by: Lei Rao <lei.rao@intel.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20220105020808.597325-1-lei.rao@intel.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry-picked from commit 1dbbe6f172810026c51dc84ed927a3cc23017949)
-[FE: trivial backport for 6.2]
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- ui/vnc.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ui/vnc.c b/ui/vnc.c
-index af02522e84..b253e85c65 100644
---- a/ui/vnc.c
-+++ b/ui/vnc.c
-@@ -1354,12 +1354,12 @@ void vnc_disconnect_finish(VncState *vs)
-         /* last client gone */
-         vnc_update_server_surface(vs->vd);
-     }
-+    vnc_unlock_output(vs);
-+
-     if (vs->cbpeer.update.notify) {
-         qemu_clipboard_peer_unregister(&vs->cbpeer);
-     }
- 
--    vnc_unlock_output(vs);
--
-     qemu_mutex_destroy(&vs->output_mutex);
-     if (vs->bh != NULL) {
-         qemu_bh_delete(vs->bh);

debian/patches/extra/0020-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch

@@ -1,37 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Mauro Matteo Cascella <mcascell@redhat.com>
-Date: Thu, 7 Apr 2022 10:11:06 +0200
-Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor
- (CVE-2021-4207)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Avoid fetching 'width' and 'height' a second time to prevent possible
-race condition. Refer to security advisory
-https://starlabs.sg/advisories/22-4207/ for more information.
-
-Fixes: CVE-2021-4207
-Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- hw/display/qxl-render.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
-index d28849b121..237ed293ba 100644
---- a/hw/display/qxl-render.c
-+++ b/hw/display/qxl-render.c
-@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
-         }
-         break;
-     case SPICE_CURSOR_TYPE_ALPHA:
--        size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
-+        size = sizeof(uint32_t) * c->width * c->height;
-         qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
-         if (qxl->debug > 2) {
-             cursor_print_ascii_art(c, "qxl/alpha");

debian/patches/extra/0021-ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch

@@ -1,83 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Mauro Matteo Cascella <mcascell@redhat.com>
-Date: Thu, 7 Apr 2022 10:17:12 +0200
-Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc
- (CVE-2021-4206)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Prevent potential integer overflow by limiting 'width' and 'height' to
-512x512. Also change 'datasize' type to size_t. Refer to security
-advisory https://starlabs.sg/advisories/22-4206/ for more information.
-
-Fixes: CVE-2021-4206
-Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit fa892e9abb728e76afcf27323ab29c57fb0fe7aa)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- hw/display/qxl-render.c | 7 +++++++
- hw/display/vmware_vga.c | 2 ++
- ui/cursor.c             | 8 +++++++-
- 3 files changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
-index 237ed293ba..ca217004bf 100644
---- a/hw/display/qxl-render.c
-+++ b/hw/display/qxl-render.c
-@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
-     size_t size;
- 
-     c = cursor_alloc(cursor->header.width, cursor->header.height);
-+
-+    if (!c) {
-+        qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
-+                cursor->header.width, cursor->header.height);
-+        goto fail;
-+    }
-+
-     c->hot_x = cursor->header.hot_spot_x;
-     c->hot_y = cursor->header.hot_spot_y;
-     switch (cursor->header.type) {
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index e2969a6c81..2b81d6122f 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -509,6 +509,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
-     int i, pixels;
- 
-     qc = cursor_alloc(c->width, c->height);
-+    assert(qc != NULL);
-+
-     qc->hot_x = c->hot_x;
-     qc->hot_y = c->hot_y;
-     switch (c->bpp) {
-diff --git a/ui/cursor.c b/ui/cursor.c
-index 1d62ddd4d0..835f0802f9 100644
---- a/ui/cursor.c
-+++ b/ui/cursor.c
-@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
- 
-     /* parse pixel data */
-     c = cursor_alloc(width, height);
-+    assert(c != NULL);
-+
-     for (pixel = 0, y = 0; y < height; y++, line++) {
-         for (x = 0; x < height; x++, pixel++) {
-             idx = xpm[line][x];
-@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
- QEMUCursor *cursor_alloc(int width, int height)
- {
-     QEMUCursor *c;
--    int datasize = width * height * sizeof(uint32_t);
-+    size_t datasize = width * height * sizeof(uint32_t);
-+
-+    if (width > 512 || height > 512) {
-+        return NULL;
-+    }
- 
-     c = g_malloc0(sizeof(QEMUCursor) + datasize);
-     c->width  = width;

debian/patches/pve/0001-PVE-Config-block-file-change-locking-default-to-off.patch

@@ -14,7 +14,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/block/file-posix.c b/block/file-posix.c
-index b283093e5b..821405fd02 100644
+index b9647c5ffc..9a16d86344 100644
 --- a/block/file-posix.c
 +++ b/block/file-posix.c
 @@ -552,7 +552,7 @@ static QemuOptsList raw_runtime_opts = {

debian/patches/pve/0002-PVE-Config-Adjust-network-script-path-to-etc-kvm.patch

@@ -9,10 +9,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/include/net/net.h b/include/net/net.h
-index 523136c7ac..c27859b4f6 100644
+index 5a7c0e9ebf..59dde996f9 100644
 --- a/include/net/net.h
 +++ b/include/net/net.h
-@@ -226,8 +226,8 @@ void netdev_add(QemuOpts *opts, Error **errp);
+@@ -238,8 +238,8 @@ void netdev_add(QemuOpts *opts, Error **errp);
  int net_hub_id_for_client(NetClientState *nc, int *id);
  NetClientState *net_hub_port_find(int hub_id);
  

debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch

@@ -10,10 +10,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index 04f2b790c9..19fdbb981c 100644
+index 326649ca99..24d21486bc 100644
 --- a/target/i386/cpu.h
 +++ b/target/i386/cpu.h
-@@ -2039,9 +2039,9 @@ uint64_t cpu_get_tsc(CPUX86State *env);
+@@ -2174,9 +2174,9 @@ uint64_t cpu_get_tsc(CPUX86State *env);
  #define CPU_RESOLVING_TYPE TYPE_X86_CPU
  
  #ifdef TARGET_X86_64

debian/patches/pve/0004-PVE-Config-ui-spice-default-to-pve-certificates.patch

@@ -9,7 +9,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 9 insertions(+), 6 deletions(-)
 
 diff --git a/ui/spice-core.c b/ui/spice-core.c
-index 31974b8d6c..a3acdbd682 100644
+index c3ac20ad43..37774f1c0a 100644
 --- a/ui/spice-core.c
 +++ b/ui/spice-core.c
 @@ -689,32 +689,35 @@ static void qemu_spice_init(void)

debian/patches/pve/0005-PVE-Config-glusterfs-no-default-logfile-if-daemonize.patch

@@ -9,7 +9,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 11 insertions(+), 4 deletions(-)
 
 diff --git a/block/gluster.c b/block/gluster.c
-index 592e71b22a..aebfece6eb 100644
+index 7c90f7ba4b..2e03102f00 100644
 --- a/block/gluster.c
 +++ b/block/gluster.c
 @@ -42,7 +42,7 @@

debian/patches/pve/0006-PVE-Config-rbd-block-rbd-disable-rbd_cache_writethro.patch

@@ -18,7 +18,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+)
 
 diff --git a/block/rbd.c b/block/rbd.c
-index def96292e0..a4b8fb482c 100644
+index f826410f40..64a8d7d48b 100644
 --- a/block/rbd.c
 +++ b/block/rbd.c
 @@ -820,6 +820,8 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,

debian/patches/pve/0007-PVE-Up-qmp-add-get_link_status.patch

@@ -4,17 +4,19 @@ Date: Mon, 6 Apr 2020 12:16:37 +0200
 Subject: [PATCH] PVE: [Up] qmp: add get_link_status
 
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+[FE: add get_link_status to command name exceptions]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
  net/net.c        | 27 +++++++++++++++++++++++++++
  qapi/net.json    | 15 +++++++++++++++
- qapi/pragma.json |  1 +
- 3 files changed, 43 insertions(+)
+ qapi/pragma.json |  2 ++
+ 3 files changed, 44 insertions(+)
 
 diff --git a/net/net.c b/net/net.c
-index f0d14dbfc1..6d476c47ef 100644
+index c3391168f6..f7d984f6f5 100644
 --- a/net/net.c
 +++ b/net/net.c
-@@ -1334,6 +1334,33 @@ void hmp_info_network(Monitor *mon, const QDict *qdict)
+@@ -1387,6 +1387,33 @@ void hmp_info_network(Monitor *mon, const QDict *qdict)
      }
  }
  
@@ -49,10 +51,10 @@ index f0d14dbfc1..6d476c47ef 100644
  {
      NetClientState *nc;
 diff --git a/qapi/net.json b/qapi/net.json
-index 7fab2e7cd8..74c9a6109e 100644
+index 522ac582ed..327d7c5a37 100644
 --- a/qapi/net.json
 +++ b/qapi/net.json
-@@ -35,6 +35,21 @@
+@@ -36,6 +36,21 @@
  ##
  { 'command': 'set_link', 'data': {'name': 'str', 'up': 'bool'} }
  
@@ -75,12 +77,20 @@ index 7fab2e7cd8..74c9a6109e 100644
  # @netdev_add:
  #
 diff --git a/qapi/pragma.json b/qapi/pragma.json
-index 3bc0335d1f..7c91ea3685 100644
+index 7f810b0e97..29233db825 100644
 --- a/qapi/pragma.json
 +++ b/qapi/pragma.json
-@@ -22,6 +22,7 @@
-         'system_reset',
+@@ -15,6 +15,7 @@
+         'device_add',
+         'device_del',
+         'expire_password',
++        'get_link_status',
+         'migrate_cancel',
+         'netdev_add',
+         'netdev_del',
+@@ -26,6 +27,7 @@
          'system_wakeup' ],
+     # Commands allowed to return a non-dictionary
      'command-returns-exceptions': [
 +        'get_link_status',
          'human-monitor-command',

debian/patches/pve/0008-PVE-Up-glusterfs-allow-partial-reads.patch

@@ -16,7 +16,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 9 insertions(+), 1 deletion(-)
 
 diff --git a/block/gluster.c b/block/gluster.c
-index aebfece6eb..3b7ee2f649 100644
+index 2e03102f00..7886c5fe8c 100644
 --- a/block/gluster.c
 +++ b/block/gluster.c
 @@ -57,6 +57,7 @@ typedef struct GlusterAIOCB {
@@ -59,7 +59,7 @@ index aebfece6eb..3b7ee2f649 100644
          ret = glfs_preadv_async(s->fd, qiov->iov, qiov->niov, offset, 0,
                                  gluster_finish_aiocb, &acb);
      }
-@@ -1269,6 +1275,7 @@ static coroutine_fn int qemu_gluster_co_flush_to_disk(BlockDriverState *bs)
+@@ -1268,6 +1274,7 @@ static coroutine_fn int qemu_gluster_co_flush_to_disk(BlockDriverState *bs)
      acb.ret = 0;
      acb.coroutine = qemu_coroutine_self();
      acb.aio_context = bdrv_get_aio_context(bs);
@@ -67,7 +67,7 @@ index aebfece6eb..3b7ee2f649 100644
  
      ret = glfs_fsync_async(s->fd, gluster_finish_aiocb, &acb);
      if (ret < 0) {
-@@ -1317,6 +1324,7 @@ static coroutine_fn int qemu_gluster_co_pdiscard(BlockDriverState *bs,
+@@ -1316,6 +1323,7 @@ static coroutine_fn int qemu_gluster_co_pdiscard(BlockDriverState *bs,
      acb.ret = 0;
      acb.coroutine = qemu_coroutine_self();
      acb.aio_context = bdrv_get_aio_context(bs);

debian/patches/pve/0009-PVE-Up-qemu-img-return-success-on-info-without-snaps.patch

@@ -9,10 +9,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/qemu-img.c b/qemu-img.c
-index f036a1d428..080ad9bca7 100644
+index 2c32d9da4e..b9636714f6 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -2989,7 +2989,8 @@ static int img_info(int argc, char **argv)
+@@ -3013,7 +3013,8 @@ static int img_info(int argc, char **argv)
      list = collect_image_info_list(image_opts, filename, fmt, chain,
                                     force_share);
      if (!list) {

debian/patches/pve/0010-PVE-Up-qemu-img-dd-add-osize-and-read-from-to-stdin-.patch

@@ -31,13 +31,14 @@ override the output file's size.
 
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
  qemu-img-cmds.hx |   4 +-
- qemu-img.c       | 187 +++++++++++++++++++++++++++++------------------
- 2 files changed, 119 insertions(+), 72 deletions(-)
+ qemu-img.c       | 202 ++++++++++++++++++++++++++++++-----------------
+ 2 files changed, 133 insertions(+), 73 deletions(-)
 
 diff --git a/qemu-img-cmds.hx b/qemu-img-cmds.hx
-index 72bcdcfbfa..0b2999f3ab 100644
+index 1b1dab5b17..d1616c045a 100644
 --- a/qemu-img-cmds.hx
 +++ b/qemu-img-cmds.hx
 @@ -58,9 +58,9 @@ SRST
@@ -53,10 +54,10 @@ index 72bcdcfbfa..0b2999f3ab 100644
  
  DEF("info", img_info,
 diff --git a/qemu-img.c b/qemu-img.c
-index 080ad9bca7..1f457d9e80 100644
+index b9636714f6..0f6a4e4e57 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4805,10 +4805,12 @@ static int img_bitmap(int argc, char **argv)
+@@ -4840,10 +4840,12 @@ static int img_bitmap(int argc, char **argv)
  #define C_IF      04
  #define C_OF      010
  #define C_SKIP    020
@@ -69,7 +70,7 @@ index 080ad9bca7..1f457d9e80 100644
  };
  
  struct DdIo {
-@@ -4884,6 +4886,19 @@ static int img_dd_skip(const char *arg,
+@@ -4919,6 +4921,19 @@ static int img_dd_skip(const char *arg,
      return 0;
  }
  
@@ -89,7 +90,7 @@ index 080ad9bca7..1f457d9e80 100644
  static int img_dd(int argc, char **argv)
  {
      int ret = 0;
-@@ -4924,6 +4939,7 @@ static int img_dd(int argc, char **argv)
+@@ -4959,6 +4974,7 @@ static int img_dd(int argc, char **argv)
          { "if", img_dd_if, C_IF },
          { "of", img_dd_of, C_OF },
          { "skip", img_dd_skip, C_SKIP },
@@ -97,7 +98,7 @@ index 080ad9bca7..1f457d9e80 100644
          { NULL, NULL, 0 }
      };
      const struct option long_options[] = {
-@@ -4999,91 +5015,112 @@ static int img_dd(int argc, char **argv)
+@@ -5034,91 +5050,112 @@ static int img_dd(int argc, char **argv)
          arg = NULL;
      }
  
@@ -153,9 +154,9 @@ index 080ad9bca7..1f457d9e80 100644
      }
 -    create_opts = qemu_opts_append(create_opts, drv->create_opts);
 -    create_opts = qemu_opts_append(create_opts, proto_drv->create_opts);
- 
--    opts = qemu_opts_create(create_opts, NULL, 0, &error_abort);
 -
+-    opts = qemu_opts_create(create_opts, NULL, 0, &error_abort);
+ 
 -    size = blk_getlength(blk1);
 -    if (size < 0) {
 -        error_report("Failed to get size for '%s'", in.filename);
@@ -274,41 +275,54 @@ index 080ad9bca7..1f457d9e80 100644
      }
  
      if (dd.flags & C_SKIP && (in.offset > INT64_MAX / in.bsz ||
-@@ -5101,11 +5138,17 @@ static int img_dd(int argc, char **argv)
+@@ -5135,20 +5172,43 @@ static int img_dd(int argc, char **argv)
+     in.buf = g_new(uint8_t, in.bsz);
  
-     for (out_pos = 0; in_pos < size; block_count++) {
-         int in_ret, out_ret;
+     for (out_pos = 0; in_pos < size; ) {
++        int in_ret, out_ret;
+         int bytes = (in_pos + in.bsz > size) ? size - in_pos : in.bsz;
 -
--        if (in_pos + in.bsz > size) {
--            in_ret = blk_pread(blk1, in_pos, in.buf, size - in_pos);
-+        size_t in_bsz = in_pos + in.bsz > size ? size - in_pos : in.bsz;
+-        ret = blk_pread(blk1, in_pos, bytes, in.buf, 0);
+-        if (ret < 0) {
 +        if (blk1) {
-+            in_ret = blk_pread(blk1, in_pos, in.buf, in_bsz);
-         } else {
--            in_ret = blk_pread(blk1, in_pos, in.buf, in.bsz);
-+            in_ret = read(STDIN_FILENO, in.buf, in_bsz);
++            in_ret = blk_pread(blk1, in_pos, bytes, in.buf, 0);
++            if (in_ret == 0) {
++                in_ret = bytes;
++            }
++        } else {
++            in_ret = read(STDIN_FILENO, in.buf, bytes);
 +            if (in_ret == 0) {
 +                /* early EOF is considered an error */
 +                error_report("Input ended unexpectedly");
 +                ret = -1;
 +                goto out;
 +            }
-         }
-         if (in_ret < 0) {
++        }
++        if (in_ret < 0) {
              error_report("error while reading from input image file: %s",
-@@ -5115,9 +5158,13 @@ static int img_dd(int argc, char **argv)
+-                         strerror(-ret));
++                         strerror(-in_ret));
++            ret = -1;
+             goto out;
          }
-         in_pos += in_ret;
+         in_pos += bytes;
  
--        out_ret = blk_pwrite(blk2, out_pos, in.buf, in_ret, 0);
+-        ret = blk_pwrite(blk2, out_pos, bytes, in.buf, 0);
+-        if (ret < 0) {
 +        if (blk2) {
-+            out_ret = blk_pwrite(blk2, out_pos, in.buf, in_ret, 0);
++            out_ret = blk_pwrite(blk2, out_pos, in_ret, in.buf, 0);
++            if (out_ret == 0) {
++                out_ret = in_ret;
++            }
 +        } else {
 +            out_ret = write(STDOUT_FILENO, in.buf, in_ret);
 +        }
- 
--        if (out_ret < 0) {
++
 +        if (out_ret != in_ret) {
              error_report("error while writing to output image file: %s",
-                          strerror(-out_ret));
-             ret = -1;
+-                         strerror(-ret));
++                         strerror(-out_ret));
++            ret = -1;
+             goto out;
+         }
+         out_pos += bytes;

debian/patches/pve/0011-PVE-Up-qemu-img-dd-add-isize-parameter.patch

@@ -10,15 +10,16 @@ an expected end of input.
 
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
  qemu-img.c | 28 +++++++++++++++++++++++++---
  1 file changed, 25 insertions(+), 3 deletions(-)
 
 diff --git a/qemu-img.c b/qemu-img.c
-index 1f457d9e80..d9e8a8c4d4 100644
+index 0f6a4e4e57..a3cd66e56c 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4806,11 +4806,13 @@ static int img_bitmap(int argc, char **argv)
+@@ -4841,11 +4841,13 @@ static int img_bitmap(int argc, char **argv)
  #define C_OF      010
  #define C_SKIP    020
  #define C_OSIZE   040
@@ -32,7 +33,7 @@ index 1f457d9e80..d9e8a8c4d4 100644
  };
  
  struct DdIo {
-@@ -4899,6 +4901,19 @@ static int img_dd_osize(const char *arg,
+@@ -4934,6 +4936,19 @@ static int img_dd_osize(const char *arg,
      return 0;
  }
  
@@ -52,13 +53,13 @@ index 1f457d9e80..d9e8a8c4d4 100644
  static int img_dd(int argc, char **argv)
  {
      int ret = 0;
-@@ -4913,12 +4928,14 @@ static int img_dd(int argc, char **argv)
+@@ -4948,12 +4963,14 @@ static int img_dd(int argc, char **argv)
      int c, i;
      const char *out_fmt = "raw";
      const char *fmt = NULL;
 -    int64_t size = 0;
 +    int64_t size = 0, readsize = 0;
-     int64_t block_count = 0, out_pos, in_pos;
+     int64_t out_pos, in_pos;
      bool force_share = false;
      struct DdInfo dd = {
          .flags = 0,
@@ -68,7 +69,7 @@ index 1f457d9e80..d9e8a8c4d4 100644
      };
      struct DdIo in = {
          .bsz = 512, /* Block size is by default 512 bytes */
-@@ -4940,6 +4957,7 @@ static int img_dd(int argc, char **argv)
+@@ -4975,6 +4992,7 @@ static int img_dd(int argc, char **argv)
          { "of", img_dd_of, C_OF },
          { "skip", img_dd_skip, C_SKIP },
          { "osize", img_dd_osize, C_OSIZE },
@@ -76,20 +77,22 @@ index 1f457d9e80..d9e8a8c4d4 100644
          { NULL, NULL, 0 }
      };
      const struct option long_options[] = {
-@@ -5136,14 +5154,18 @@ static int img_dd(int argc, char **argv)
+@@ -5171,9 +5189,10 @@ static int img_dd(int argc, char **argv)
  
      in.buf = g_new(uint8_t, in.bsz);
  
--    for (out_pos = 0; in_pos < size; block_count++) {
+-    for (out_pos = 0; in_pos < size; ) {
 +    readsize = (dd.isize > 0) ? dd.isize : size;
-+    for (out_pos = 0; in_pos < readsize; block_count++) {
++    for (out_pos = 0; in_pos < readsize; ) {
          int in_ret, out_ret;
--        size_t in_bsz = in_pos + in.bsz > size ? size - in_pos : in.bsz;
-+        size_t in_bsz = in_pos + in.bsz > readsize ? readsize - in_pos : in.bsz;
+-        int bytes = (in_pos + in.bsz > size) ? size - in_pos : in.bsz;
++        int bytes = (in_pos + in.bsz > readsize) ? readsize - in_pos : in.bsz;
          if (blk1) {
-             in_ret = blk_pread(blk1, in_pos, in.buf, in_bsz);
+             in_ret = blk_pread(blk1, in_pos, bytes, in.buf, 0);
+             if (in_ret == 0) {
+@@ -5182,6 +5201,9 @@ static int img_dd(int argc, char **argv)
          } else {
-             in_ret = read(STDIN_FILENO, in.buf, in_bsz);
+             in_ret = read(STDIN_FILENO, in.buf, bytes);
              if (in_ret == 0) {
 +                if (dd.isize == 0) {
 +                    goto out;

debian/patches/pve/0012-PVE-Up-qemu-img-dd-add-n-skip_create.patch

@@ -5,7 +5,7 @@ Subject: [PATCH] PVE: [Up] qemu-img dd: add -n skip_create
 
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 [FE: fix getopt-string + add documentation]
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
  docs/tools/qemu-img.rst | 11 ++++++++++-
  qemu-img-cmds.hx        |  4 ++--
@@ -13,7 +13,7 @@ Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
  3 files changed, 26 insertions(+), 12 deletions(-)
 
 diff --git a/docs/tools/qemu-img.rst b/docs/tools/qemu-img.rst
-index d663dd92bd..a49badb158 100644
+index 15aeddc6d8..5e713e231d 100644
 --- a/docs/tools/qemu-img.rst
 +++ b/docs/tools/qemu-img.rst
 @@ -208,6 +208,10 @@ Parameters to convert subcommand:
@@ -49,7 +49,7 @@ index d663dd92bd..a49badb158 100644
  
    Give information about the disk image *FILENAME*. Use it in
 diff --git a/qemu-img-cmds.hx b/qemu-img-cmds.hx
-index 0b2999f3ab..f3b2b1b4de 100644
+index d1616c045a..b5b0bb4467 100644
 --- a/qemu-img-cmds.hx
 +++ b/qemu-img-cmds.hx
 @@ -58,9 +58,9 @@ SRST
@@ -65,19 +65,19 @@ index 0b2999f3ab..f3b2b1b4de 100644
  
  DEF("info", img_info,
 diff --git a/qemu-img.c b/qemu-img.c
-index d9e8a8c4d4..015d6d2ce4 100644
+index a3cd66e56c..4f5ef5b887 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4930,7 +4930,7 @@ static int img_dd(int argc, char **argv)
+@@ -4965,7 +4965,7 @@ static int img_dd(int argc, char **argv)
      const char *fmt = NULL;
      int64_t size = 0, readsize = 0;
-     int64_t block_count = 0, out_pos, in_pos;
+     int64_t out_pos, in_pos;
 -    bool force_share = false;
 +    bool force_share = false, skip_create = false;
      struct DdInfo dd = {
          .flags = 0,
          .count = 0,
-@@ -4968,7 +4968,7 @@ static int img_dd(int argc, char **argv)
+@@ -5003,7 +5003,7 @@ static int img_dd(int argc, char **argv)
          { 0, 0, 0, 0 }
      };
  
@@ -86,7 +86,7 @@ index d9e8a8c4d4..015d6d2ce4 100644
          if (c == EOF) {
              break;
          }
-@@ -4988,6 +4988,9 @@ static int img_dd(int argc, char **argv)
+@@ -5023,6 +5023,9 @@ static int img_dd(int argc, char **argv)
          case 'h':
              help();
              break;
@@ -96,7 +96,7 @@ index d9e8a8c4d4..015d6d2ce4 100644
          case 'U':
              force_share = true;
              break;
-@@ -5118,13 +5121,15 @@ static int img_dd(int argc, char **argv)
+@@ -5153,13 +5156,15 @@ static int img_dd(int argc, char **argv)
                                  size - in.bsz * in.offset, &error_abort);
          }
  

debian/patches/pve/0013-PVE-virtio-balloon-improve-query-balloon.patch

@@ -7,17 +7,20 @@ Actually provide memory information via the query-balloon
 command.
 
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+[FE: add BalloonInfo to member name exceptions list]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
  hw/virtio/virtio-balloon.c | 33 +++++++++++++++++++++++++++++++--
  monitor/hmp-cmds.c         | 30 +++++++++++++++++++++++++++++-
  qapi/machine.json          | 22 +++++++++++++++++++++-
- 3 files changed, 81 insertions(+), 4 deletions(-)
+ qapi/pragma.json           |  1 +
+ 4 files changed, 82 insertions(+), 4 deletions(-)
 
 diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
-index 9a4f491b54..1faa16234e 100644
+index e4c4c2d3c8..49874569b1 100644
 --- a/hw/virtio/virtio-balloon.c
 +++ b/hw/virtio/virtio-balloon.c
-@@ -812,8 +812,37 @@ static uint64_t virtio_balloon_get_features(VirtIODevice *vdev, uint64_t f,
+@@ -806,8 +806,37 @@ static uint64_t virtio_balloon_get_features(VirtIODevice *vdev, uint64_t f,
  static void virtio_balloon_stat(void *opaque, BalloonInfo *info)
  {
      VirtIOBalloon *dev = opaque;
@@ -58,7 +61,7 @@ index 9a4f491b54..1faa16234e 100644
  
  static void virtio_balloon_to_target(void *opaque, ram_addr_t target)
 diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
-index 2e91ccb738..e9fa9af6bd 100644
+index 01b789a79e..480b798963 100644
 --- a/monitor/hmp-cmds.c
 +++ b/monitor/hmp-cmds.c
 @@ -696,7 +696,35 @@ void hmp_info_balloon(Monitor *mon, const QDict *qdict)
@@ -99,10 +102,10 @@ index 2e91ccb738..e9fa9af6bd 100644
      qapi_free_BalloonInfo(info);
  }
 diff --git a/qapi/machine.json b/qapi/machine.json
-index 067e3f5378..91f3be6f44 100644
+index b9228a5e46..10e77a9af3 100644
 --- a/qapi/machine.json
 +++ b/qapi/machine.json
-@@ -1018,10 +1018,30 @@
+@@ -1054,9 +1054,29 @@
  # @actual: the logical size of the VM in bytes
  #          Formula used: logical_vm_size = vm_ram_size - balloon_size
  #
@@ -123,7 +126,6 @@ index 067e3f5378..91f3be6f44 100644
 +# @max_mem: amount of memory (in bytes) assigned to the guest
 +#
  # Since: 0.14
- #
  ##
 -{ 'struct': 'BalloonInfo', 'data': {'actual': 'int' } }
 +{ 'struct': 'BalloonInfo',
@@ -134,3 +136,15 @@ index 067e3f5378..91f3be6f44 100644
  
  ##
  # @query-balloon:
+diff --git a/qapi/pragma.json b/qapi/pragma.json
+index 29233db825..f2097b9020 100644
+--- a/qapi/pragma.json
++++ b/qapi/pragma.json
+@@ -37,6 +37,7 @@
+     'member-name-exceptions': [     # visible in:
+         'ACPISlotType',             # query-acpi-ospm-status
+         'AcpiTableOptions',         # -acpitable
++        'BalloonInfo',              # query-balloon
+         'BlkdebugEvent',            # blockdev-add, -blockdev
+         'BlkdebugSetStateOptions',  # blockdev-add, -blockdev
+         'BlockDeviceInfo',          # query-block

debian/patches/pve/0014-PVE-qapi-modify-query-machines.patch

@@ -30,10 +30,10 @@ index 4f4ab30f8c..76fff60a6b 100644
              info->default_cpu_type = g_strdup(mc->default_cpu_type);
              info->has_default_cpu_type = true;
 diff --git a/qapi/machine.json b/qapi/machine.json
-index 91f3be6f44..0905618e25 100644
+index 10e77a9af3..9156103c8f 100644
 --- a/qapi/machine.json
 +++ b/qapi/machine.json
-@@ -141,6 +141,8 @@
+@@ -138,6 +138,8 @@
  #
  # @is-default: whether the machine is default
  #
@@ -42,7 +42,7 @@ index 91f3be6f44..0905618e25 100644
  # @cpu-max: maximum number of CPUs supported by the machine type
  #           (since 1.5)
  #
-@@ -162,7 +164,7 @@
+@@ -159,7 +161,7 @@
  ##
  { 'struct': 'MachineInfo',
    'data': { 'name': 'str', '*alias': 'str',

debian/patches/pve/0015-PVE-qapi-modify-spice-query.patch

@@ -12,10 +12,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 8 insertions(+)
 
 diff --git a/qapi/ui.json b/qapi/ui.json
-index 4244c62c30..f946fbd8c1 100644
+index 0abba3e930..bf8f441227 100644
 --- a/qapi/ui.json
 +++ b/qapi/ui.json
-@@ -333,11 +333,14 @@
+@@ -310,11 +310,14 @@
  #
  # @channels: a list of @SpiceChannel for each active spice channel
  #
@@ -31,7 +31,7 @@ index 4244c62c30..f946fbd8c1 100644
    'if': 'CONFIG_SPICE' }
  
 diff --git a/ui/spice-core.c b/ui/spice-core.c
-index a3acdbd682..756776778d 100644
+index 37774f1c0a..367f77f2b4 100644
 --- a/ui/spice-core.c
 +++ b/ui/spice-core.c
 @@ -534,6 +534,11 @@ static SpiceInfo *qmp_query_spice_real(Error **errp)

debian/patches/pve/0016-PVE-add-IOChannel-implementation-for-savevm-async.patch

@@ -0,0 +1,281 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Thu, 13 Oct 2022 11:33:50 +0200
+Subject: [PATCH] PVE: add IOChannel implementation for savevm-async
+
+based on migration/channel-block.c and the implementation that was
+present in migration/savevm-async.c before QEMU 7.1.
+
+Passes along read/write requests to the given BlockBackend, while
+ensuring that a read request going beyond the end results in a
+graceful short read.
+
+Additionally, allows tracking the current position from the outside
+(intended to be used for progress tracking).
+
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ migration/channel-savevm-async.c | 182 +++++++++++++++++++++++++++++++
+ migration/channel-savevm-async.h |  51 +++++++++
+ migration/meson.build            |   1 +
+ 3 files changed, 234 insertions(+)
+ create mode 100644 migration/channel-savevm-async.c
+ create mode 100644 migration/channel-savevm-async.h
+
+diff --git a/migration/channel-savevm-async.c b/migration/channel-savevm-async.c
+new file mode 100644
+index 0000000000..06d5484778
+--- /dev/null
++++ b/migration/channel-savevm-async.c
+@@ -0,0 +1,182 @@
++/*
++ * QIO Channel implementation to be used by savevm-async QMP calls
++ */
++#include "qemu/osdep.h"
++#include "migration/channel-savevm-async.h"
++#include "qapi/error.h"
++#include "sysemu/block-backend.h"
++#include "trace.h"
++
++QIOChannelSavevmAsync *
++qio_channel_savevm_async_new(BlockBackend *be, size_t *bs_pos)
++{
++    QIOChannelSavevmAsync *ioc;
++
++    ioc = QIO_CHANNEL_SAVEVM_ASYNC(object_new(TYPE_QIO_CHANNEL_SAVEVM_ASYNC));
++
++    bdrv_ref(blk_bs(be));
++    ioc->be = be;
++    ioc->bs_pos = bs_pos;
++
++    return ioc;
++}
++
++
++static void
++qio_channel_savevm_async_finalize(Object *obj)
++{
++    QIOChannelSavevmAsync *ioc = QIO_CHANNEL_SAVEVM_ASYNC(obj);
++
++    if (ioc->be) {
++        bdrv_unref(blk_bs(ioc->be));
++        ioc->be = NULL;
++    }
++    ioc->bs_pos = NULL;
++}
++
++
++static ssize_t
++qio_channel_savevm_async_readv(QIOChannel *ioc,
++                               const struct iovec *iov,
++                               size_t niov,
++                               int **fds,
++                               size_t *nfds,
++                               Error **errp)
++{
++    QIOChannelSavevmAsync *saioc = QIO_CHANNEL_SAVEVM_ASYNC(ioc);
++    BlockBackend *be = saioc->be;
++    int64_t maxlen = blk_getlength(be);
++    QEMUIOVector qiov;
++    size_t size;
++    int ret;
++
++    qemu_iovec_init_external(&qiov, (struct iovec *)iov, niov);
++
++    if (*saioc->bs_pos >= maxlen) {
++        error_setg(errp, "cannot read beyond maxlen");
++        return -1;
++    }
++
++    if (maxlen - *saioc->bs_pos < qiov.size) {
++        size = maxlen - *saioc->bs_pos;
++    } else {
++        size = qiov.size;
++    }
++
++    // returns 0 on success
++    ret = blk_preadv(be, *saioc->bs_pos, size, &qiov, 0);
++    if (ret < 0) {
++        error_setg_errno(errp, -ret, "blk_preadv failed");
++        return -1;
++    }
++
++    *saioc->bs_pos += size;
++    return size;
++}
++
++
++static ssize_t
++qio_channel_savevm_async_writev(QIOChannel *ioc,
++                                const struct iovec *iov,
++                                size_t niov,
++                                int *fds,
++                                size_t nfds,
++                                int flags,
++                                Error **errp)
++{
++    QIOChannelSavevmAsync *saioc = QIO_CHANNEL_SAVEVM_ASYNC(ioc);
++    BlockBackend *be = saioc->be;
++    QEMUIOVector qiov;
++    int ret;
++
++    qemu_iovec_init_external(&qiov, (struct iovec *)iov, niov);
++
++    if (qemu_in_coroutine()) {
++        ret = blk_co_pwritev(be, *saioc->bs_pos, qiov.size, &qiov, 0);
++        aio_wait_kick();
++    } else {
++        ret = blk_pwritev(be, *saioc->bs_pos, qiov.size, &qiov, 0);
++    }
++
++    if (ret < 0) {
++        error_setg_errno(errp, -ret, "blk(_co)_pwritev failed");
++        return -1;
++    }
++
++    *saioc->bs_pos += qiov.size;
++    return qiov.size;
++}
++
++
++static int
++qio_channel_savevm_async_set_blocking(QIOChannel *ioc,
++                                      bool enabled,
++                                      Error **errp)
++{
++    if (!enabled) {
++        error_setg(errp, "Non-blocking mode not supported for savevm-async");
++        return -1;
++    }
++    return 0;
++}
++
++
++static int
++qio_channel_savevm_async_close(QIOChannel *ioc,
++                               Error **errp)
++{
++    QIOChannelSavevmAsync *saioc = QIO_CHANNEL_SAVEVM_ASYNC(ioc);
++    int rv = bdrv_flush(blk_bs(saioc->be));
++
++    if (rv < 0) {
++        error_setg_errno(errp, -rv, "Unable to flush VMState");
++        return -1;
++    }
++
++    bdrv_unref(blk_bs(saioc->be));
++    saioc->be = NULL;
++    saioc->bs_pos = NULL;
++
++    return 0;
++}
++
++
++static void
++qio_channel_savevm_async_set_aio_fd_handler(QIOChannel *ioc,
++                                            AioContext *ctx,
++                                            IOHandler *io_read,
++                                            IOHandler *io_write,
++                                            void *opaque)
++{
++    // if channel-block starts doing something, check if this needs adaptation
++}
++
++
++static void
++qio_channel_savevm_async_class_init(ObjectClass *klass,
++                             void *class_data G_GNUC_UNUSED)
++{
++    QIOChannelClass *ioc_klass = QIO_CHANNEL_CLASS(klass);
++
++    ioc_klass->io_writev = qio_channel_savevm_async_writev;
++    ioc_klass->io_readv = qio_channel_savevm_async_readv;
++    ioc_klass->io_set_blocking = qio_channel_savevm_async_set_blocking;
++    ioc_klass->io_close = qio_channel_savevm_async_close;
++    ioc_klass->io_set_aio_fd_handler = qio_channel_savevm_async_set_aio_fd_handler;
++}
++
++static const TypeInfo qio_channel_savevm_async_info = {
++    .parent = TYPE_QIO_CHANNEL,
++    .name = TYPE_QIO_CHANNEL_SAVEVM_ASYNC,
++    .instance_size = sizeof(QIOChannelSavevmAsync),
++    .instance_finalize = qio_channel_savevm_async_finalize,
++    .class_init = qio_channel_savevm_async_class_init,
++};
++
++static void
++qio_channel_savevm_async_register_types(void)
++{
++    type_register_static(&qio_channel_savevm_async_info);
++}
++
++type_init(qio_channel_savevm_async_register_types);
+diff --git a/migration/channel-savevm-async.h b/migration/channel-savevm-async.h
+new file mode 100644
+index 0000000000..17ae2cb261
+--- /dev/null
++++ b/migration/channel-savevm-async.h
+@@ -0,0 +1,51 @@
++/*
++ * QEMU I/O channels driver for savevm-async.c
++ *
++ * Copyright (c) 2022 Proxmox Server Solutions
++ *
++ * Authors:
++ *  Fiona Ebner (f.ebner@proxmox.com)
++ *
++ * This work is licensed under the terms of the GNU GPL, version 2 or later.
++ * See the COPYING file in the top-level directory.
++ */
++
++#ifndef QIO_CHANNEL_SAVEVM_ASYNC_H
++#define QIO_CHANNEL_SAVEVM_ASYNC_H
++
++#include "io/channel.h"
++#include "qom/object.h"
++
++#define TYPE_QIO_CHANNEL_SAVEVM_ASYNC "qio-channel-savevm-async"
++OBJECT_DECLARE_SIMPLE_TYPE(QIOChannelSavevmAsync, QIO_CHANNEL_SAVEVM_ASYNC)
++
++
++/**
++ * QIOChannelSavevmAsync:
++ *
++ * The QIOChannelBlock object provides a channel implementation that is able to
++ * perform I/O on any BlockBackend whose BlockDriverState directly contains a
++ * VMState (as opposed to indirectly, like qcow2). It allows tracking the
++ * current position from the outside.
++ */
++struct QIOChannelSavevmAsync {
++    QIOChannel parent;
++    BlockBackend *be;
++    size_t *bs_pos;
++};
++
++
++/**
++ * qio_channel_savevm_async_new:
++ * @be: the block backend
++ * @bs_pos: used to keep track of the IOChannels current position
++ *
++ * Create a new IO channel object that can perform I/O on a BlockBackend object
++ * whose BlockDriverState directly contains a VMState.
++ *
++ * Returns: the new channel object
++ */
++QIOChannelSavevmAsync *
++qio_channel_savevm_async_new(BlockBackend *be, size_t *bs_pos);
++
++#endif /* QIO_CHANNEL_SAVEVM_ASYNC_H */
+diff --git a/migration/meson.build b/migration/meson.build
+index 690487cf1a..8cac83c06c 100644
+--- a/migration/meson.build
++++ b/migration/meson.build
+@@ -13,6 +13,7 @@ softmmu_ss.add(files(
+   'block-dirty-bitmap.c',
+   'channel.c',
+   'channel-block.c',
++  'channel-savevm-async.c',
+   'colo-failover.c',
+   'colo.c',
+   'exec.c',

debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch

@@ -23,26 +23,30 @@ Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 [improve aborting]
 Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
+[FE: further improve aborting
+     adapt to removal of QEMUFileOps
+     improve condition for entering final stage]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
  hmp-commands-info.hx         |  13 +
- hmp-commands.hx              |  33 ++
+ hmp-commands.hx              |  33 +++
  include/migration/snapshot.h |   2 +
  include/monitor/hmp.h        |   5 +
  migration/meson.build        |   1 +
- migration/savevm-async.c     | 598 +++++++++++++++++++++++++++++++++++
+ migration/savevm-async.c     | 538 +++++++++++++++++++++++++++++++++++
  monitor/hmp-cmds.c           |  57 ++++
- qapi/migration.json          |  34 ++
- qapi/misc.json               |  32 ++
+ qapi/migration.json          |  34 +++
+ qapi/misc.json               |  32 +++
  qemu-options.hx              |  12 +
  softmmu/vl.c                 |  10 +
- 11 files changed, 797 insertions(+)
+ 11 files changed, 737 insertions(+)
  create mode 100644 migration/savevm-async.c
 
 diff --git a/hmp-commands-info.hx b/hmp-commands-info.hx
-index 407a1da800..245f8acc55 100644
+index 754b1e8408..489c524e9e 100644
 --- a/hmp-commands-info.hx
 +++ b/hmp-commands-info.hx
-@@ -536,6 +536,19 @@ SRST
+@@ -540,6 +540,19 @@ SRST
      Show current migration parameters.
  ERST
  
@@ -63,13 +67,13 @@ index 407a1da800..245f8acc55 100644
          .name       = "balloon",
          .args_type  = "",
 diff --git a/hmp-commands.hx b/hmp-commands.hx
-index 5efb47fc32..1ad13b668b 100644
+index 673e39a697..039be0033d 100644
 --- a/hmp-commands.hx
 +++ b/hmp-commands.hx
-@@ -1746,3 +1746,36 @@ ERST
-                       "\n\t\t\t -b to specify dirty bitmap as method of calculation)",
-         .cmd        = hmp_calc_dirty_rate,
-     },
+@@ -1815,3 +1815,36 @@ SRST
+   Dump the FDT in dtb format to *filename*.
+ ERST
+ #endif
 +
 +    {
 +        .name       = "savevm-start",
@@ -115,10 +119,10 @@ index e72083b117..c846d37806 100644
 +
  #endif
 diff --git a/include/monitor/hmp.h b/include/monitor/hmp.h
-index 96d014826a..3a39ba41b5 100644
+index dfbc0c9a2f..440f86aba8 100644
 --- a/include/monitor/hmp.h
 +++ b/include/monitor/hmp.h
-@@ -26,6 +26,7 @@ void hmp_info_status(Monitor *mon, const QDict *qdict);
+@@ -27,6 +27,7 @@ void hmp_info_status(Monitor *mon, const QDict *qdict);
  void hmp_info_uuid(Monitor *mon, const QDict *qdict);
  void hmp_info_chardev(Monitor *mon, const QDict *qdict);
  void hmp_info_mice(Monitor *mon, const QDict *qdict);
@@ -126,7 +130,7 @@ index 96d014826a..3a39ba41b5 100644
  void hmp_info_migrate(Monitor *mon, const QDict *qdict);
  void hmp_info_migrate_capabilities(Monitor *mon, const QDict *qdict);
  void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict);
-@@ -80,6 +81,10 @@ void hmp_netdev_add(Monitor *mon, const QDict *qdict);
+@@ -81,6 +82,10 @@ void hmp_netdev_add(Monitor *mon, const QDict *qdict);
  void hmp_netdev_del(Monitor *mon, const QDict *qdict);
  void hmp_getfd(Monitor *mon, const QDict *qdict);
  void hmp_closefd(Monitor *mon, const QDict *qdict);
@@ -135,13 +139,13 @@ index 96d014826a..3a39ba41b5 100644
 +void hmp_delete_drive_snapshot(Monitor *mon, const QDict *qdict);
 +void hmp_savevm_end(Monitor *mon, const QDict *qdict);
  void hmp_sendkey(Monitor *mon, const QDict *qdict);
- void hmp_screendump(Monitor *mon, const QDict *qdict);
+ void coroutine_fn hmp_screendump(Monitor *mon, const QDict *qdict);
  void hmp_chardev_add(Monitor *mon, const QDict *qdict);
 diff --git a/migration/meson.build b/migration/meson.build
-index f8714dcb15..ea9aedeefc 100644
+index 8cac83c06c..0842d00cd2 100644
 --- a/migration/meson.build
 +++ b/migration/meson.build
-@@ -23,6 +23,7 @@ softmmu_ss.add(files(
+@@ -24,6 +24,7 @@ softmmu_ss.add(files(
    'multifd-zlib.c',
    'postcopy-ram.c',
    'savevm.c',
@@ -151,11 +155,12 @@ index f8714dcb15..ea9aedeefc 100644
  ), gnutls)
 diff --git a/migration/savevm-async.c b/migration/savevm-async.c
 new file mode 100644
-index 0000000000..79a0cda906
+index 0000000000..dc30558713
 --- /dev/null
 +++ b/migration/savevm-async.c
-@@ -0,0 +1,598 @@
+@@ -0,0 +1,538 @@
 +#include "qemu/osdep.h"
++#include "migration/channel-savevm-async.h"
 +#include "migration/migration.h"
 +#include "migration/savevm.h"
 +#include "migration/snapshot.h"
@@ -179,9 +184,6 @@ index 0000000000..79a0cda906
 +
 +/* #define DEBUG_SAVEVM_STATE */
 +
-+/* used while emulated sync operation in progress */
-+#define NOT_DONE -EINPROGRESS
-+
 +#ifdef DEBUG_SAVEVM_STATE
 +#define DPRINTF(fmt, ...) \
 +    do { printf("savevm-async: " fmt, ## __VA_ARGS__); } while (0)
@@ -210,7 +212,7 @@ index 0000000000..79a0cda906
 +    int64_t total_time;
 +    QEMUBH *finalize_bh;
 +    Coroutine *co;
-+    QemuCoSleep *target_close_wait;
++    QemuCoSleep target_close_wait;
 +} snap_state;
 +
 +static bool savevm_aborted(void)
@@ -268,6 +270,7 @@ index 0000000000..79a0cda906
 +
 +    if (snap_state.file) {
 +        ret = qemu_fclose(snap_state.file);
++        snap_state.file = NULL;
 +    }
 +
 +    if (snap_state.target) {
@@ -285,9 +288,7 @@ index 0000000000..79a0cda906
 +        blk_unref(snap_state.target);
 +        snap_state.target = NULL;
 +
-+        if (snap_state.target_close_wait) {
-+            qemu_co_sleep_wake(snap_state.target_close_wait);
-+        }
++        qemu_co_sleep_wake(&snap_state.target_close_wait);
 +    }
 +
 +    return ret;
@@ -313,60 +314,6 @@ index 0000000000..79a0cda906
 +    snap_state.state = SAVE_STATE_ERROR;
 +}
 +
-+static int block_state_close(void *opaque, Error **errp)
-+{
-+    snap_state.file = NULL;
-+    return blk_flush(snap_state.target);
-+}
-+
-+typedef struct BlkRwCo {
-+    int64_t offset;
-+    QEMUIOVector *qiov;
-+    ssize_t ret;
-+} BlkRwCo;
-+
-+static void coroutine_fn block_state_write_entry(void *opaque) {
-+    BlkRwCo *rwco = opaque;
-+    rwco->ret = blk_co_pwritev(snap_state.target, rwco->offset, rwco->qiov->size,
-+                               rwco->qiov, 0);
-+    aio_wait_kick();
-+}
-+
-+static ssize_t block_state_writev_buffer(void *opaque, struct iovec *iov,
-+                                         int iovcnt, int64_t pos, Error **errp)
-+{
-+    QEMUIOVector qiov;
-+    BlkRwCo rwco;
-+
-+    assert(pos == snap_state.bs_pos);
-+    rwco = (BlkRwCo) {
-+        .offset = pos,
-+        .qiov = &qiov,
-+        .ret = NOT_DONE,
-+    };
-+
-+    qemu_iovec_init_external(&qiov, iov, iovcnt);
-+
-+    if (qemu_in_coroutine()) {
-+        block_state_write_entry(&rwco);
-+    } else {
-+        Coroutine *co = qemu_coroutine_create(&block_state_write_entry, &rwco);
-+        bdrv_coroutine_enter(blk_bs(snap_state.target), co);
-+        BDRV_POLL_WHILE(blk_bs(snap_state.target), rwco.ret == NOT_DONE);
-+    }
-+    if (rwco.ret < 0) {
-+        return rwco.ret;
-+    }
-+
-+    snap_state.bs_pos += qiov.size;
-+    return qiov.size;
-+}
-+
-+static const QEMUFileOps block_file_ops = {
-+    .writev_buffer =  block_state_writev_buffer,
-+    .close =          block_state_close,
-+};
-+
 +static void process_savevm_finalize(void *opaque)
 +{
 +    int ret;
@@ -401,7 +348,7 @@ index 0000000000..79a0cda906
 +        (void)qemu_savevm_state_complete_precopy(snap_state.file, false, false);
 +        ret = qemu_file_get_error(snap_state.file);
 +        if (ret < 0) {
-+                save_snapshot_error("qemu_savevm_state_iterate error %d", ret);
++            save_snapshot_error("qemu_savevm_state_complete_precopy error %d", ret);
 +        }
 +    }
 +
@@ -422,8 +369,11 @@ index 0000000000..79a0cda906
 +    } else if (snap_state.state == SAVE_STATE_ACTIVE) {
 +        snap_state.state = SAVE_STATE_COMPLETED;
 +    } else if (aborted) {
-+        save_snapshot_error("process_savevm_cleanup: found aborted state: %d",
-+                            snap_state.state);
++        /*
++         * If there was an error, there's no need to set a new one here.
++         * If the snapshot was canceled, leave setting the state to
++         * qmp_savevm_end(), which is waked by save_snapshot_cleanup().
++         */
 +    } else {
 +        save_snapshot_error("process_savevm_cleanup: invalid state: %d",
 +                            snap_state.state);
@@ -464,9 +414,16 @@ index 0000000000..79a0cda906
 +
 +        pending_size = pend_precopy + pend_compatible + pend_postcopy;
 +
-+        maxlen = blk_getlength(snap_state.target) - 30*1024*1024;
++        /*
++         * A guest reaching this cutoff is dirtying lots of RAM. It should be
++         * large enough so that the guest can't dirty this much between the
++         * check and the guest actually being stopped, but it should be small
++         * enough to avoid long downtimes for non-hibernation snapshots.
++         */
++        maxlen = blk_getlength(snap_state.target) - 100*1024*1024;
 +
-+        if (pending_size > 400000 && snap_state.bs_pos + pending_size < maxlen) {
++        /* Note that there is no progress for pend_postcopy when iterating */
++        if (pending_size - pend_postcopy > 400000 && snap_state.bs_pos + pending_size < maxlen) {
 +            ret = qemu_savevm_state_iterate(snap_state.file, false);
 +            if (ret < 0) {
 +                save_snapshot_error("qemu_savevm_state_iterate error %d", ret);
@@ -549,6 +506,7 @@ index 0000000000..79a0cda906
 +    snap_state.bs_pos = 0;
 +    snap_state.total_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
 +    snap_state.blocker = NULL;
++    snap_state.target_close_wait = (QemuCoSleep){ .to_wake = NULL };
 +
 +    if (snap_state.error) {
 +        error_free(snap_state.error);
@@ -575,7 +533,9 @@ index 0000000000..79a0cda906
 +        goto restart;
 +    }
 +
-+    snap_state.file = qemu_fopen_ops(&snap_state, &block_file_ops);
++    QIOChannel *ioc = QIO_CHANNEL(qio_channel_savevm_async_new(snap_state.target,
++                                                               &snap_state.bs_pos));
++    snap_state.file = qemu_file_new_output(ioc);
 +
 +    if (!snap_state.file) {
 +        error_set(errp, ERROR_CLASS_GENERIC_ERROR, "failed to open '%s'", statefile);
@@ -653,9 +613,8 @@ index 0000000000..79a0cda906
 +     * call exits the statefile will be closed and can be removed immediately */
 +    DPRINTF("savevm-end: waiting for cleanup\n");
 +    timeout = 30L * 1000 * 1000 * 1000;
-+    qemu_co_sleep_ns_wakeable(snap_state.target_close_wait,
++    qemu_co_sleep_ns_wakeable(&snap_state.target_close_wait,
 +                              QEMU_CLOCK_REALTIME, timeout);
-+    snap_state.target_close_wait = NULL;
 +    if (snap_state.target) {
 +        save_snapshot_error("timeout waiting for target file close in "
 +                            "qmp_savevm_end");
@@ -664,6 +623,11 @@ index 0000000000..79a0cda906
 +        return;
 +    }
 +
++    // File closed and no other error, so ensure next snapshot can be started.
++    if (snap_state.state != SAVE_STATE_ERROR) {
++        snap_state.state = SAVE_STATE_DONE;
++    }
++
 +    DPRINTF("savevm-end: cleanup done\n");
 +}
 +
@@ -683,27 +647,6 @@ index 0000000000..79a0cda906
 +                                                     true, name, errp);
 +}
 +
-+static ssize_t loadstate_get_buffer(void *opaque, uint8_t *buf, int64_t pos,
-+                                    size_t size, Error **errp)
-+{
-+    BlockBackend *be = opaque;
-+    int64_t maxlen = blk_getlength(be);
-+    if (pos > maxlen) {
-+        return -EIO;
-+    }
-+    if ((pos + size) > maxlen) {
-+        size = maxlen - pos - 1;
-+    }
-+    if (size == 0) {
-+        return 0;
-+    }
-+    return blk_pread(be, pos, buf, size);
-+}
-+
-+static const QEMUFileOps loadstate_file_ops = {
-+    .get_buffer = loadstate_get_buffer,
-+};
-+
 +int load_snapshot_from_blockdev(const char *filename, Error **errp)
 +{
 +    BlockBackend *be;
@@ -711,6 +654,7 @@ index 0000000000..79a0cda906
 +    Error *blocker = NULL;
 +
 +    QEMUFile *f;
++    size_t bs_pos = 0;
 +    int ret = -EINVAL;
 +
 +    be = blk_new_open(filename, NULL, NULL, 0, &local_err);
@@ -724,7 +668,7 @@ index 0000000000..79a0cda906
 +    blk_op_block_all(be, blocker);
 +
 +    /* restore the VM state */
-+    f = qemu_fopen_ops(be, &loadstate_file_ops);
++    f = qemu_file_new_input(QIO_CHANNEL(qio_channel_savevm_async_new(be, &bs_pos)));
 +    if (!f) {
 +        error_setg(errp, "Could not open VM state file");
 +        goto the_end;
@@ -754,10 +698,10 @@ index 0000000000..79a0cda906
 +    return ret;
 +}
 diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
-index e9fa9af6bd..5000ce39d1 100644
+index 480b798963..cfebfd1db5 100644
 --- a/monitor/hmp-cmds.c
 +++ b/monitor/hmp-cmds.c
-@@ -1903,6 +1903,63 @@ void hmp_info_memory_devices(Monitor *mon, const QDict *qdict)
+@@ -1906,6 +1906,63 @@ void hmp_info_memory_devices(Monitor *mon, const QDict *qdict)
      hmp_handle_error(mon, err);
  }
  
@@ -822,10 +766,10 @@ index e9fa9af6bd..5000ce39d1 100644
  {
      IOThreadInfoList *info_list = qmp_query_iothreads(NULL);
 diff --git a/qapi/migration.json b/qapi/migration.json
-index bbfd48cf0b..45686390a2 100644
+index 88ecf86ac8..4435866379 100644
 --- a/qapi/migration.json
 +++ b/qapi/migration.json
-@@ -247,6 +247,40 @@
+@@ -261,6 +261,40 @@
             '*compression': 'CompressionStats',
             '*socket-address': ['SocketAddress'] } }
  
@@ -867,7 +811,7 @@ index bbfd48cf0b..45686390a2 100644
  # @query-migrate:
  #
 diff --git a/qapi/misc.json b/qapi/misc.json
-index 358548abe1..25b3febc52 100644
+index 27ef5a2b20..b3ce75dcae 100644
 --- a/qapi/misc.json
 +++ b/qapi/misc.json
 @@ -435,6 +435,38 @@
@@ -910,10 +854,10 @@ index 358548abe1..25b3febc52 100644
  # @CommandLineParameterType:
  #
 diff --git a/qemu-options.hx b/qemu-options.hx
-index ae2c6dbbfc..423144abeb 100644
+index 7f798ce47e..9e3de34143 100644
 --- a/qemu-options.hx
 +++ b/qemu-options.hx
-@@ -4171,6 +4171,18 @@ SRST
+@@ -4423,6 +4423,18 @@ SRST
      Start right away with a saved state (``loadvm`` in monitor)
  ERST
  
@@ -933,18 +877,18 @@ index ae2c6dbbfc..423144abeb 100644
  DEF("daemonize", 0, QEMU_OPTION_daemonize, \
      "-daemonize      daemonize QEMU after initializing\n", QEMU_ARCH_ALL)
 diff --git a/softmmu/vl.c b/softmmu/vl.c
-index 620a1f1367..fd82efb8b3 100644
+index 7aa3eb5cf9..c94fe3d778 100644
 --- a/softmmu/vl.c
 +++ b/softmmu/vl.c
-@@ -156,6 +156,7 @@ static const char *incoming;
- static const char *loadvm;
- static const char *accelerators;
+@@ -164,6 +164,7 @@ static const char *accelerators;
+ static bool have_custom_ram_size;
+ static const char *ram_memdev_id;
  static QDict *machine_opts_dict;
 +static const char *loadstate;
  static QTAILQ_HEAD(, ObjectOption) object_opts = QTAILQ_HEAD_INITIALIZER(object_opts);
  static QTAILQ_HEAD(, DeviceOption) device_opts = QTAILQ_HEAD_INITIALIZER(device_opts);
- static ram_addr_t maxram_size;
-@@ -2743,6 +2744,12 @@ void qmp_x_exit_preconfig(Error **errp)
+ static int display_remote;
+@@ -2615,6 +2616,12 @@ void qmp_x_exit_preconfig(Error **errp)
  
      if (loadvm) {
          load_snapshot(loadvm, NULL, false, NULL, &error_fatal);
@@ -957,7 +901,7 @@ index 620a1f1367..fd82efb8b3 100644
      }
      if (replay_mode != REPLAY_MODE_NONE) {
          replay_vmstate_init();
-@@ -3284,6 +3291,9 @@ void qemu_init(int argc, char **argv, char **envp)
+@@ -3159,6 +3166,9 @@ void qemu_init(int argc, char **argv)
              case QEMU_OPTION_loadvm:
                  loadvm = optarg;
                  break;

debian/patches/pve/0018-PVE-add-optional-buffer-size-to-QEMUFile.patch

@@ -10,17 +10,19 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 [increase max IOV count in QEMUFile to actually write more data]
 Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+[FE: adapt to removal of QEMUFileOps]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
- migration/qemu-file.c    | 38 +++++++++++++++++++++++++-------------
- migration/qemu-file.h    |  1 +
- migration/savevm-async.c |  4 ++--
- 3 files changed, 28 insertions(+), 15 deletions(-)
+ migration/qemu-file.c    | 49 +++++++++++++++++++++++++++-------------
+ migration/qemu-file.h    |  2 ++
+ migration/savevm-async.c |  5 ++--
+ 3 files changed, 38 insertions(+), 18 deletions(-)
 
 diff --git a/migration/qemu-file.c b/migration/qemu-file.c
-index 6338d8e2ff..6697a93a7e 100644
+index 2d5f74ffc2..9fd97e6fe1 100644
 --- a/migration/qemu-file.c
 +++ b/migration/qemu-file.c
-@@ -30,8 +30,8 @@
+@@ -31,8 +31,8 @@
  #include "trace.h"
  #include "qapi/error.h"
  
@@ -30,9 +32,9 @@ index 6338d8e2ff..6697a93a7e 100644
 +#define MAX_IOV_SIZE MIN_CONST(IOV_MAX, 256)
  
  struct QEMUFile {
-     const QEMUFileOps *ops;
-@@ -45,7 +45,8 @@ struct QEMUFile {
-                     when reading */
+     const QEMUFileHooks *hooks;
+@@ -55,7 +55,8 @@ struct QEMUFile {
+ 
      int buf_index;
      int buf_size; /* 0 when writing */
 -    uint8_t buf[IO_BUF_SIZE];
@@ -41,53 +43,76 @@ index 6338d8e2ff..6697a93a7e 100644
  
      DECLARE_BITMAP(may_free, MAX_IOV_SIZE);
      struct iovec iov[MAX_IOV_SIZE];
-@@ -103,7 +104,7 @@ bool qemu_file_mode_is_not_valid(const char *mode)
+@@ -127,7 +128,9 @@ bool qemu_file_mode_is_not_valid(const char *mode)
      return false;
  }
  
--QEMUFile *qemu_fopen_ops(void *opaque, const QEMUFileOps *ops, bool has_ioc)
-+QEMUFile *qemu_fopen_ops_sized(void *opaque, const QEMUFileOps *ops, bool has_ioc, size_t buffer_size)
+-static QEMUFile *qemu_file_new_impl(QIOChannel *ioc, bool is_writable)
++static QEMUFile *qemu_file_new_impl(QIOChannel *ioc,
++                                    bool is_writable,
++                                    size_t buffer_size)
  {
      QEMUFile *f;
  
-@@ -112,9 +113,17 @@ QEMUFile *qemu_fopen_ops(void *opaque, const QEMUFileOps *ops, bool has_ioc)
-     f->opaque = opaque;
-     f->ops = ops;
-     f->has_ioc = has_ioc;
+@@ -136,6 +139,8 @@ static QEMUFile *qemu_file_new_impl(QIOChannel *ioc, bool is_writable)
+     object_ref(ioc);
+     f->ioc = ioc;
+     f->is_writable = is_writable;
 +    f->buf_allocated_size = buffer_size;
 +    f->buf = malloc(buffer_size);
-+
+ 
      return f;
  }
+@@ -146,17 +151,27 @@ static QEMUFile *qemu_file_new_impl(QIOChannel *ioc, bool is_writable)
+  */
+ QEMUFile *qemu_file_get_return_path(QEMUFile *f)
+ {
+-    return qemu_file_new_impl(f->ioc, !f->is_writable);
++    return qemu_file_new_impl(f->ioc, !f->is_writable, DEFAULT_IO_BUF_SIZE);
+ }
  
-+QEMUFile *qemu_fopen_ops(void *opaque, const QEMUFileOps *ops, bool has_ioc)
-+{
-+    return qemu_fopen_ops_sized(opaque, ops, has_ioc, DEFAULT_IO_BUF_SIZE);
+ QEMUFile *qemu_file_new_output(QIOChannel *ioc)
+ {
+-    return qemu_file_new_impl(ioc, true);
++    return qemu_file_new_impl(ioc, true, DEFAULT_IO_BUF_SIZE);
 +}
 +
++QEMUFile *qemu_file_new_output_sized(QIOChannel *ioc, size_t buffer_size)
++{
++    return qemu_file_new_impl(ioc, true, buffer_size);
+ }
+ 
+ QEMUFile *qemu_file_new_input(QIOChannel *ioc)
+ {
+-    return qemu_file_new_impl(ioc, false);
++    return qemu_file_new_impl(ioc, false, DEFAULT_IO_BUF_SIZE);
++}
++
++QEMUFile *qemu_file_new_input_sized(QIOChannel *ioc, size_t buffer_size)
++{
++    return qemu_file_new_impl(ioc, false, buffer_size);
+ }
  
  void qemu_file_set_hooks(QEMUFile *f, const QEMUFileHooks *hooks)
- {
-@@ -349,7 +358,7 @@ static ssize_t qemu_fill_buffer(QEMUFile *f)
+@@ -414,7 +429,7 @@ static ssize_t qemu_fill_buffer(QEMUFile *f)
+     do {
+         len = qio_channel_read(f->ioc,
+                                (char *)f->buf + pending,
+-                               IO_BUF_SIZE - pending,
++                               f->buf_allocated_size - pending,
+                                &local_error);
+         if (len == QIO_CHANNEL_ERR_BLOCK) {
+             if (qemu_in_coroutine()) {
+@@ -464,6 +479,8 @@ int qemu_fclose(QEMUFile *f)
      }
+     g_clear_pointer(&f->ioc, object_unref);
  
-     len = f->ops->get_buffer(f->opaque, f->buf + pending, f->pos,
--                             IO_BUF_SIZE - pending, &local_error);
-+                             f->buf_allocated_size - pending, &local_error);
-     if (len > 0) {
-         f->buf_size += len;
-         f->pos += len;
-@@ -389,6 +398,9 @@ int qemu_fclose(QEMUFile *f)
-             ret = ret2;
-         }
-     }
-+
 +    free(f->buf);
 +
      /* If any error was spotted before closing, we should report it
       * instead of the close() return value.
       */
-@@ -443,7 +455,7 @@ static void add_buf_to_iovec(QEMUFile *f, size_t len)
+@@ -518,7 +535,7 @@ static void add_buf_to_iovec(QEMUFile *f, size_t len)
  {
      if (!add_to_iovec(f, f->buf + f->buf_index, len, false)) {
          f->buf_index += len;
@@ -96,7 +121,7 @@ index 6338d8e2ff..6697a93a7e 100644
              qemu_fflush(f);
          }
      }
-@@ -469,7 +481,7 @@ void qemu_put_buffer(QEMUFile *f, const uint8_t *buf, size_t size)
+@@ -544,7 +561,7 @@ void qemu_put_buffer(QEMUFile *f, const uint8_t *buf, size_t size)
      }
  
      while (size > 0) {
@@ -105,7 +130,7 @@ index 6338d8e2ff..6697a93a7e 100644
          if (l > size) {
              l = size;
          }
-@@ -516,8 +528,8 @@ size_t qemu_peek_buffer(QEMUFile *f, uint8_t **buf, size_t size, size_t offset)
+@@ -591,8 +608,8 @@ size_t qemu_peek_buffer(QEMUFile *f, uint8_t **buf, size_t size, size_t offset)
      size_t index;
  
      assert(!qemu_file_is_writable(f));
@@ -116,7 +141,7 @@ index 6338d8e2ff..6697a93a7e 100644
  
      /* The 1st byte to read from */
      index = f->buf_index + offset;
-@@ -567,7 +579,7 @@ size_t qemu_get_buffer(QEMUFile *f, uint8_t *buf, size_t size)
+@@ -642,7 +659,7 @@ size_t qemu_get_buffer(QEMUFile *f, uint8_t *buf, size_t size)
          size_t res;
          uint8_t *src;
  
@@ -125,7 +150,7 @@ index 6338d8e2ff..6697a93a7e 100644
          if (res == 0) {
              return done;
          }
-@@ -601,7 +613,7 @@ size_t qemu_get_buffer(QEMUFile *f, uint8_t *buf, size_t size)
+@@ -676,7 +693,7 @@ size_t qemu_get_buffer(QEMUFile *f, uint8_t *buf, size_t size)
   */
  size_t qemu_get_buffer_in_place(QEMUFile *f, uint8_t **buf, size_t size)
  {
@@ -134,7 +159,7 @@ index 6338d8e2ff..6697a93a7e 100644
          size_t res;
          uint8_t *src = NULL;
  
-@@ -626,7 +638,7 @@ int qemu_peek_byte(QEMUFile *f, int offset)
+@@ -701,7 +718,7 @@ int qemu_peek_byte(QEMUFile *f, int offset)
      int index = f->buf_index + offset;
  
      assert(!qemu_file_is_writable(f));
@@ -143,7 +168,7 @@ index 6338d8e2ff..6697a93a7e 100644
  
      if (index >= f->buf_size) {
          qemu_fill_buffer(f);
-@@ -778,7 +790,7 @@ static int qemu_compress_data(z_stream *stream, uint8_t *dest, size_t dest_len,
+@@ -853,7 +870,7 @@ static int qemu_compress_data(z_stream *stream, uint8_t *dest, size_t dest_len,
  ssize_t qemu_put_compression_data(QEMUFile *f, z_stream *stream,
                                    const uint8_t *p, size_t size)
  {
@@ -153,36 +178,39 @@ index 6338d8e2ff..6697a93a7e 100644
      if (blen < compressBound(size)) {
          return -1;
 diff --git a/migration/qemu-file.h b/migration/qemu-file.h
-index 3f36d4dc8c..67501fd9cf 100644
+index fa13d04d78..914f1a63a8 100644
 --- a/migration/qemu-file.h
 +++ b/migration/qemu-file.h
-@@ -121,6 +121,7 @@ typedef struct QEMUFileHooks {
+@@ -63,7 +63,9 @@ typedef struct QEMUFileHooks {
  } QEMUFileHooks;
  
- QEMUFile *qemu_fopen_ops(void *opaque, const QEMUFileOps *ops, bool has_ioc);
-+QEMUFile *qemu_fopen_ops_sized(void *opaque, const QEMUFileOps *ops, bool has_ioc, size_t buffer_size);
+ QEMUFile *qemu_file_new_input(QIOChannel *ioc);
++QEMUFile *qemu_file_new_input_sized(QIOChannel *ioc, size_t buffer_size);
+ QEMUFile *qemu_file_new_output(QIOChannel *ioc);
++QEMUFile *qemu_file_new_output_sized(QIOChannel *ioc, size_t buffer_size);
  void qemu_file_set_hooks(QEMUFile *f, const QEMUFileHooks *hooks);
- int qemu_get_fd(QEMUFile *f);
  int qemu_fclose(QEMUFile *f);
+ 
 diff --git a/migration/savevm-async.c b/migration/savevm-async.c
-index 79a0cda906..970ee3b3fc 100644
+index dc30558713..a38e7351c1 100644
 --- a/migration/savevm-async.c
 +++ b/migration/savevm-async.c
-@@ -418,7 +418,7 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
-         goto restart;
-     }
+@@ -374,7 +374,7 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
  
--    snap_state.file = qemu_fopen_ops(&snap_state, &block_file_ops);
-+    snap_state.file = qemu_fopen_ops_sized(&snap_state, &block_file_ops, false, 4 * 1024 * 1024);
+     QIOChannel *ioc = QIO_CHANNEL(qio_channel_savevm_async_new(snap_state.target,
+                                                                &snap_state.bs_pos));
+-    snap_state.file = qemu_file_new_output(ioc);
++    snap_state.file = qemu_file_new_output_sized(ioc, 4 * 1024 * 1024);
  
      if (!snap_state.file) {
          error_set(errp, ERROR_CLASS_GENERIC_ERROR, "failed to open '%s'", statefile);
-@@ -567,7 +567,7 @@ int load_snapshot_from_blockdev(const char *filename, Error **errp)
+@@ -507,7 +507,8 @@ int load_snapshot_from_blockdev(const char *filename, Error **errp)
      blk_op_block_all(be, blocker);
  
      /* restore the VM state */
--    f = qemu_fopen_ops(be, &loadstate_file_ops);
-+    f = qemu_fopen_ops_sized(be, &loadstate_file_ops, false, 4 * 1024 * 1024);
+-    f = qemu_file_new_input(QIO_CHANNEL(qio_channel_savevm_async_new(be, &bs_pos)));
++    f = qemu_file_new_input_sized(QIO_CHANNEL(qio_channel_savevm_async_new(be, &bs_pos)),
++                                  4 * 1024 * 1024);
      if (!f) {
          error_setg(errp, "Could not open VM state file");
          goto the_end;

debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch

@@ -8,15 +8,15 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
 ---
  block/meson.build |   1 +
- block/zeroinit.c  | 196 ++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 197 insertions(+)
+ block/zeroinit.c  | 198 ++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 199 insertions(+)
  create mode 100644 block/zeroinit.c
 
 diff --git a/block/meson.build b/block/meson.build
-index deb73ca389..c9d1fdca7d 100644
+index b7c68b83a3..020a89ae07 100644
 --- a/block/meson.build
 +++ b/block/meson.build
-@@ -41,6 +41,7 @@ block_ss.add(files(
+@@ -43,6 +43,7 @@ block_ss.add(files(
    'vmdk.c',
    'vpc.c',
    'write-threshold.c',
@@ -26,10 +26,10 @@ index deb73ca389..c9d1fdca7d 100644
  softmmu_ss.add(when: 'CONFIG_TCG', if_true: files('blkreplay.c'))
 diff --git a/block/zeroinit.c b/block/zeroinit.c
 new file mode 100644
-index 0000000000..20ee611f22
+index 0000000000..b60e1b84dc
 --- /dev/null
 +++ b/block/zeroinit.c
-@@ -0,0 +1,196 @@
+@@ -0,0 +1,198 @@
 +/*
 + * Filter to fake a zero-initialized block device.
 + *
@@ -109,7 +109,9 @@ index 0000000000..20ee611f22
 +
 +    /* Open the raw file */
 +    bs->file = bdrv_open_child(qemu_opt_get(opts, "x-next"), options, "next",
-+                               bs, &child_of_bds, BDRV_CHILD_FILTERED, false, &local_err);
++                               bs, &child_of_bds,
++                               BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
++                               false, &local_err);
 +    if (local_err) {
 +        ret = -EINVAL;
 +        error_propagate(errp, local_err);

debian/patches/pve/0020-PVE-Add-dummy-id-command-line-parameter.patch

@@ -14,12 +14,12 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 11 insertions(+)
 
 diff --git a/qemu-options.hx b/qemu-options.hx
-index 423144abeb..4879471aeb 100644
+index 9e3de34143..1ff8905127 100644
 --- a/qemu-options.hx
 +++ b/qemu-options.hx
-@@ -1019,6 +1019,9 @@ DEFHEADING()
+@@ -1159,6 +1159,9 @@ legacy PC, they are not recommended for modern configurations.
  
- DEFHEADING(Block device options:)
+ ERST
  
 +DEF("id", HAS_ARG, QEMU_OPTION_id,
 +    "-id n           set the VMID", QEMU_ARCH_ALL)
@@ -28,10 +28,10 @@ index 423144abeb..4879471aeb 100644
      "-fda/-fdb file  use 'file' as floppy disk 0/1 image\n", QEMU_ARCH_ALL)
  DEF("fdb", HAS_ARG, QEMU_OPTION_fdb, "", QEMU_ARCH_ALL)
 diff --git a/softmmu/vl.c b/softmmu/vl.c
-index fd82efb8b3..eb05e5a000 100644
+index c94fe3d778..a6f7a422ec 100644
 --- a/softmmu/vl.c
 +++ b/softmmu/vl.c
-@@ -2779,6 +2779,7 @@ void qemu_init(int argc, char **argv, char **envp)
+@@ -2651,6 +2651,7 @@ void qemu_init(int argc, char **argv)
      MachineClass *machine_class;
      bool userconfig = true;
      FILE *vmstate_dump_file = NULL;
@@ -39,7 +39,7 @@ index fd82efb8b3..eb05e5a000 100644
  
      qemu_add_opts(&qemu_drive_opts);
      qemu_add_drive_opts(&qemu_legacy_drive_opts);
-@@ -3421,6 +3422,13 @@ void qemu_init(int argc, char **argv, char **envp)
+@@ -3271,6 +3272,13 @@ void qemu_init(int argc, char **argv)
                  machine_parse_property_opt(qemu_find_opts("smp-opts"),
                                             "smp", optarg);
                  break;

debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch

@@ -13,10 +13,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 42 insertions(+), 20 deletions(-)
 
 diff --git a/block/file-posix.c b/block/file-posix.c
-index 821405fd02..e3b6c3c524 100644
+index 9a16d86344..bd68df57ad 100644
 --- a/block/file-posix.c
 +++ b/block/file-posix.c
-@@ -2465,6 +2465,7 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
+@@ -2487,6 +2487,7 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
      int fd;
      uint64_t perm, shared;
      int result = 0;
@@ -24,7 +24,7 @@ index 821405fd02..e3b6c3c524 100644
  
      /* Validate options and set default values */
      assert(options->driver == BLOCKDEV_DRIVER_FILE);
-@@ -2505,19 +2506,22 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
+@@ -2527,19 +2528,22 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
      perm = BLK_PERM_WRITE | BLK_PERM_RESIZE;
      shared = BLK_PERM_ALL & ~BLK_PERM_RESIZE;
  
@@ -59,7 +59,7 @@ index 821405fd02..e3b6c3c524 100644
      }
  
      /* Clear the file by truncating it to 0 */
-@@ -2571,13 +2575,15 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
+@@ -2593,13 +2597,15 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
      }
  
  out_unlock:
@@ -82,7 +82,7 @@ index 821405fd02..e3b6c3c524 100644
      }
  
  out_close:
-@@ -2602,6 +2608,7 @@ static int coroutine_fn raw_co_create_opts(BlockDriver *drv,
+@@ -2624,6 +2630,7 @@ static int coroutine_fn raw_co_create_opts(BlockDriver *drv,
      PreallocMode prealloc;
      char *buf = NULL;
      Error *local_err = NULL;
@@ -90,7 +90,7 @@ index 821405fd02..e3b6c3c524 100644
  
      /* Skip file: protocol prefix */
      strstart(filename, "file:", &filename);
-@@ -2624,6 +2631,18 @@ static int coroutine_fn raw_co_create_opts(BlockDriver *drv,
+@@ -2646,6 +2653,18 @@ static int coroutine_fn raw_co_create_opts(BlockDriver *drv,
          return -EINVAL;
      }
  
@@ -109,7 +109,7 @@ index 821405fd02..e3b6c3c524 100644
      options = (BlockdevCreateOptions) {
          .driver     = BLOCKDEV_DRIVER_FILE,
          .u.file     = {
-@@ -2635,6 +2654,8 @@ static int coroutine_fn raw_co_create_opts(BlockDriver *drv,
+@@ -2657,6 +2676,8 @@ static int coroutine_fn raw_co_create_opts(BlockDriver *drv,
              .nocow              = nocow,
              .has_extent_size_hint = has_extent_size_hint,
              .extent_size_hint   = extent_size_hint,
@@ -119,10 +119,10 @@ index 821405fd02..e3b6c3c524 100644
      };
      return raw_co_create(&options, errp);
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 1d3dd9cb48..3f81d6a5c0 100644
+index 7daaf545be..9e902b96bb 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -4445,7 +4445,8 @@
+@@ -4624,7 +4624,8 @@
              'size':                 'size',
              '*preallocation':       'PreallocMode',
              '*nocow':               'bool',

debian/patches/pve/0023-PVE-monitor-disable-oob-capability.patch

@@ -18,10 +18,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 2 deletions(-)
 
 diff --git a/monitor/qmp.c b/monitor/qmp.c
-index 6b8cfcf6d8..3ec67e32d3 100644
+index cc1407e4ac..c34fa2e0e3 100644
 --- a/monitor/qmp.c
 +++ b/monitor/qmp.c
-@@ -519,8 +519,7 @@ void monitor_init_qmp(Chardev *chr, bool pretty, Error **errp)
+@@ -502,8 +502,7 @@ void monitor_init_qmp(Chardev *chr, bool pretty, Error **errp)
      qemu_chr_fe_set_echo(&mon->common.chr, true);
  
      /* Note: we run QMP monitor in I/O thread when @chr supports that */

debian/patches/pve/0024-PVE-Compat-4.0-used-balloon-qemu-4-0-config-size-fal.patch

@@ -26,10 +26,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/hw/core/machine.c b/hw/core/machine.c
-index 53a99abc56..ad2cb2592e 100644
+index 19f42450f5..39ef2b6fe6 100644
 --- a/hw/core/machine.c
 +++ b/hw/core/machine.c
-@@ -113,7 +113,8 @@ GlobalProperty hw_compat_4_0[] = {
+@@ -135,7 +135,8 @@ GlobalProperty hw_compat_4_0[] = {
      { "virtio-vga",     "edid", "false" },
      { "virtio-gpu-device", "edid", "false" },
      { "virtio-device", "use-started", "false" },

debian/patches/pve/0025-PVE-Allow-version-code-in-machine-type.patch

@@ -36,23 +36,23 @@ index 76fff60a6b..ec9201fb9a 100644
  
          if (mc->default_cpu_type) {
 diff --git a/include/hw/boards.h b/include/hw/boards.h
-index 9c1c190104..51e04bde62 100644
+index ca2f0d3592..acc3b62b6e 100644
 --- a/include/hw/boards.h
 +++ b/include/hw/boards.h
-@@ -227,6 +227,8 @@ struct MachineClass {
+@@ -232,6 +232,8 @@ struct MachineClass {
      const char *desc;
      const char *deprecation_reason;
  
 +    const char *pve_version;
 +
      void (*init)(MachineState *state);
-     void (*reset)(MachineState *state);
+     void (*reset)(MachineState *state, ShutdownCause reason);
      void (*wakeup)(MachineState *state);
 diff --git a/qapi/machine.json b/qapi/machine.json
-index 0905618e25..a05c46e253 100644
+index 9156103c8f..f4fb1b2c9c 100644
 --- a/qapi/machine.json
 +++ b/qapi/machine.json
-@@ -160,6 +160,8 @@
+@@ -157,6 +157,8 @@
  #
  # @default-ram-id: the default ID of initial RAM memory backend (since 5.2)
  #
@@ -61,7 +61,7 @@ index 0905618e25..a05c46e253 100644
  # Since: 1.2
  ##
  { 'struct': 'MachineInfo',
-@@ -167,7 +169,7 @@
+@@ -164,7 +166,7 @@
              '*is-default': 'bool', '*is-current': 'bool', 'cpu-max': 'int',
              'hotpluggable-cpus': 'bool',  'numa-mem-supported': 'bool',
              'deprecated': 'bool', '*default-cpu-type': 'str',
@@ -71,10 +71,10 @@ index 0905618e25..a05c46e253 100644
  ##
  # @query-machines:
 diff --git a/softmmu/vl.c b/softmmu/vl.c
-index eb05e5a000..f306d21d63 100644
+index a6f7a422ec..8b0b35b6b4 100644
 --- a/softmmu/vl.c
 +++ b/softmmu/vl.c
-@@ -1655,6 +1655,7 @@ static const QEMUOption *lookup_opt(int argc, char **argv,
+@@ -1582,6 +1582,7 @@ static const QEMUOption *lookup_opt(int argc, char **argv,
  static MachineClass *select_machine(QDict *qdict, Error **errp)
  {
      const char *optarg = qdict_get_try_str(qdict, "type");
@@ -82,7 +82,7 @@ index eb05e5a000..f306d21d63 100644
      GSList *machines = object_class_get_list(TYPE_MACHINE, false);
      MachineClass *machine_class;
      Error *local_err = NULL;
-@@ -1672,6 +1673,11 @@ static MachineClass *select_machine(QDict *qdict, Error **errp)
+@@ -1599,6 +1600,11 @@ static MachineClass *select_machine(QDict *qdict, Error **errp)
          }
      }
  
@@ -94,7 +94,7 @@ index eb05e5a000..f306d21d63 100644
      g_slist_free(machines);
      if (local_err) {
          error_append_hint(&local_err, "Use -machine help to list supported machines\n");
-@@ -3363,12 +3369,31 @@ void qemu_init(int argc, char **argv, char **envp)
+@@ -3213,12 +3219,31 @@ void qemu_init(int argc, char **argv)
              case QEMU_OPTION_machine:
                  {
                      bool help;

debian/patches/pve/0026-block-backup-move-bcs-bitmap-initialization-to-job-c.patch

@@ -25,11 +25,11 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/block/backup.c b/block/backup.c
-index 21d5983779..47e218857d 100644
+index 6a9ad97a53..9b0151c5be 100644
 --- a/block/backup.c
 +++ b/block/backup.c
-@@ -239,8 +239,8 @@ static void backup_init_bcs_bitmap(BackupBlockJob *job)
-         assert(ret);
+@@ -237,8 +237,8 @@ static void backup_init_bcs_bitmap(BackupBlockJob *job)
+                                          true);
      } else if (job->sync_mode == MIRROR_SYNC_MODE_TOP) {
          /*
 -         * We can't hog the coroutine to initialize this thoroughly.
@@ -39,7 +39,7 @@ index 21d5983779..47e218857d 100644
           */
          block_copy_set_skip_unallocated(job->bcs, true);
      }
-@@ -254,8 +254,6 @@ static int coroutine_fn backup_run(Job *job, Error **errp)
+@@ -252,8 +252,6 @@ static int coroutine_fn backup_run(Job *job, Error **errp)
      BackupBlockJob *s = container_of(job, BackupBlockJob, common.job);
      int ret;
  
@@ -48,7 +48,7 @@ index 21d5983779..47e218857d 100644
      if (s->sync_mode == MIRROR_SYNC_MODE_TOP) {
          int64_t offset = 0;
          int64_t count;
-@@ -493,6 +491,8 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
+@@ -492,6 +490,8 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
      block_job_add_bdrv(&job->common, "target", target, 0, BLK_PERM_ALL,
                         &error_abort);
  

debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch

@@ -9,8 +9,8 @@ Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
 ---
  block/meson.build |   2 +
  meson.build       |   5 +
- vma-reader.c      | 860 ++++++++++++++++++++++++++++++++++++++++++++++
- vma-writer.c      | 790 ++++++++++++++++++++++++++++++++++++++++++
+ vma-reader.c      | 859 ++++++++++++++++++++++++++++++++++++++++++++++
+ vma-writer.c      | 791 ++++++++++++++++++++++++++++++++++++++++++
  vma.c             | 849 +++++++++++++++++++++++++++++++++++++++++++++
  vma.h             | 150 ++++++++
  6 files changed, 2656 insertions(+)
@@ -20,23 +20,23 @@ Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
  create mode 100644 vma.h
 
 diff --git a/block/meson.build b/block/meson.build
-index c9d1fdca7d..72081a9974 100644
+index 020a89ae07..4feae20e37 100644
 --- a/block/meson.build
 +++ b/block/meson.build
-@@ -44,6 +44,8 @@ block_ss.add(files(
+@@ -46,6 +46,8 @@ block_ss.add(files(
    'zeroinit.c',
  ), zstd, zlib, gnutls)
  
 +block_ss.add(files('../vma-writer.c'), libuuid)
 +
  softmmu_ss.add(when: 'CONFIG_TCG', if_true: files('blkreplay.c'))
+ softmmu_ss.add(files('block-ram-registrar.c'))
  
- block_ss.add(when: 'CONFIG_QCOW1', if_true: files('qcow.c'))
 diff --git a/meson.build b/meson.build
-index 96de1a6ef9..54c23b9567 100644
+index 787f91855e..a496f6fe10 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -1202,6 +1202,8 @@ keyutils = dependency('libkeyutils', required: false,
+@@ -1525,6 +1525,8 @@ keyutils = dependency('libkeyutils', required: false,
  
  has_gettid = cc.has_function('gettid')
  
@@ -45,7 +45,7 @@ index 96de1a6ef9..54c23b9567 100644
  # libselinux
  selinux = dependency('libselinux',
                       required: get_option('selinux'),
-@@ -3070,6 +3072,9 @@ if have_tools
+@@ -3598,6 +3600,9 @@ if have_tools
                 dependencies: [blockdev, qemuutil, gnutls, selinux],
                 install: true)
  
@@ -57,10 +57,10 @@ index 96de1a6ef9..54c23b9567 100644
    subdir('contrib/elf2dmp')
 diff --git a/vma-reader.c b/vma-reader.c
 new file mode 100644
-index 0000000000..4f4ee2b47b
+index 0000000000..e65f1e8415
 --- /dev/null
 +++ b/vma-reader.c
-@@ -0,0 +1,860 @@
+@@ -0,0 +1,859 @@
 +/*
 + * VMA: Virtual Machine Archive
 + *
@@ -78,7 +78,6 @@ index 0000000000..4f4ee2b47b
 +#include <glib.h>
 +#include <uuid/uuid.h>
 +
-+#include "qemu-common.h"
 +#include "qemu/timer.h"
 +#include "qemu/ratelimit.h"
 +#include "vma.h"
@@ -589,7 +588,7 @@ index 0000000000..4f4ee2b47b
 +            }
 +        }
 +    } else {
-+        int res = blk_pwrite(target, sector_num * BDRV_SECTOR_SIZE, buf, nb_sectors * BDRV_SECTOR_SIZE, 0);
++        int res = blk_pwrite(target, sector_num * BDRV_SECTOR_SIZE, nb_sectors * BDRV_SECTOR_SIZE, buf, 0);
 +        if (res < 0) {
 +            error_setg(errp, "blk_pwrite to %s failed (%d)",
 +                       bdrv_get_device_name(blk_bs(target)), res);
@@ -923,10 +922,10 @@ index 0000000000..4f4ee2b47b
 +
 diff --git a/vma-writer.c b/vma-writer.c
 new file mode 100644
-index 0000000000..11d8321ffd
+index 0000000000..df4b20793d
 --- /dev/null
 +++ b/vma-writer.c
-@@ -0,0 +1,790 @@
+@@ -0,0 +1,791 @@
 +/*
 + * VMA: Virtual Machine Archive
 + *
@@ -950,6 +949,7 @@ index 0000000000..11d8321ffd
 +#include "qemu/main-loop.h"
 +#include "qemu/coroutine.h"
 +#include "qemu/cutils.h"
++#include "qemu/memalign.h"
 +
 +#define DEBUG_VMA 0
 +
@@ -1133,9 +1133,9 @@ index 0000000000..11d8321ffd
 +    assert(qemu_in_coroutine());
 +    AioContext *ctx = qemu_get_current_aio_context();
 +    aio_set_fd_handler(ctx, fd, false, NULL, (IOHandler *)qemu_coroutine_enter,
-+                       NULL, qemu_coroutine_self());
++                       NULL, NULL, qemu_coroutine_self());
 +    qemu_coroutine_yield();
-+    aio_set_fd_handler(ctx, fd, false, NULL, NULL, NULL, NULL);
++    aio_set_fd_handler(ctx, fd, false, NULL, NULL, NULL, NULL, NULL);
 +}
 +
 +static ssize_t coroutine_fn
@@ -1719,7 +1719,7 @@ index 0000000000..11d8321ffd
 +}
 diff --git a/vma.c b/vma.c
 new file mode 100644
-index 0000000000..89440733b1
+index 0000000000..e8dffb43e0
 --- /dev/null
 +++ b/vma.c
 @@ -0,0 +1,849 @@
@@ -1740,11 +1740,11 @@ index 0000000000..89440733b1
 +#include <glib.h>
 +
 +#include "vma.h"
-+#include "qemu-common.h"
 +#include "qemu/module.h"
 +#include "qemu/error-report.h"
 +#include "qemu/main-loop.h"
 +#include "qemu/cutils.h"
++#include "qemu/memalign.h"
 +#include "qapi/qmp/qdict.h"
 +#include "sysemu/block-backend.h"
 +

debian/patches/pve/0028-PVE-Backup-add-backup-dump-block-driver.patch

@@ -10,20 +10,20 @@ Subject: [PATCH] PVE-Backup: add backup-dump block driver
 
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
- block/backup-dump.c       | 168 ++++++++++++++++++++++++++++++++++++++
- block/backup.c            |  30 ++-----
- block/meson.build         |   1 +
- include/block/block_int.h |  35 ++++++++
- job.c                     |   3 +-
- 5 files changed, 214 insertions(+), 23 deletions(-)
+ block/backup-dump.c              | 167 +++++++++++++++++++++++++++++++
+ block/backup.c                   |  30 ++----
+ block/meson.build                |   1 +
+ include/block/block_int-common.h |  35 +++++++
+ job.c                            |   3 +-
+ 5 files changed, 213 insertions(+), 23 deletions(-)
  create mode 100644 block/backup-dump.c
 
 diff --git a/block/backup-dump.c b/block/backup-dump.c
 new file mode 100644
-index 0000000000..93d7f46950
+index 0000000000..04718a94e2
 --- /dev/null
 +++ b/block/backup-dump.c
-@@ -0,0 +1,168 @@
+@@ -0,0 +1,167 @@
 +/*
 + * BlockDriver to send backup data stream to a callback function
 + *
@@ -35,7 +35,6 @@ index 0000000000..93d7f46950
 + */
 +
 +#include "qemu/osdep.h"
-+#include "qemu-common.h"
 +#include "qom/object_interfaces.h"
 +#include "block/block_int.h"
 +
@@ -193,7 +192,7 @@ index 0000000000..93d7f46950
 +    return bs;
 +}
 diff --git a/block/backup.c b/block/backup.c
-index 47e218857d..4d8fad70c4 100644
+index 9b0151c5be..6e8f6e67b3 100644
 --- a/block/backup.c
 +++ b/block/backup.c
 @@ -29,28 +29,6 @@
@@ -225,7 +224,7 @@ index 47e218857d..4d8fad70c4 100644
  static const BlockJobDriver backup_job_driver;
  
  static void backup_cleanup_sync_bitmap(BackupBlockJob *job, int ret)
-@@ -455,6 +433,14 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
+@@ -454,6 +432,14 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
      }
  
      cluster_size = block_copy_cluster_size(bcs);
@@ -241,7 +240,7 @@ index 47e218857d..4d8fad70c4 100644
      if (perf->max_chunk && perf->max_chunk < cluster_size) {
          error_setg(errp, "Required max-chunk (%" PRIi64 ") is less than backup "
 diff --git a/block/meson.build b/block/meson.build
-index 72081a9974..7883df047c 100644
+index 4feae20e37..0d7023fc82 100644
 --- a/block/meson.build
 +++ b/block/meson.build
 @@ -4,6 +4,7 @@ block_ss.add(files(
@@ -252,10 +251,10 @@ index 72081a9974..7883df047c 100644
    'copy-before-write.c',
    'blkdebug.c',
    'blklogwrites.c',
-diff --git a/include/block/block_int.h b/include/block/block_int.h
-index f4c75e8ba9..169dc43d59 100644
---- a/include/block/block_int.h
-+++ b/include/block/block_int.h
+diff --git a/include/block/block_int-common.h b/include/block/block_int-common.h
+index 31ae91e56e..37b64bcd93 100644
+--- a/include/block/block_int-common.h
++++ b/include/block/block_int-common.h
 @@ -26,6 +26,7 @@
  
  #include "block/accounting.h"
@@ -270,7 +269,7 @@ index f4c75e8ba9..169dc43d59 100644
  
 +typedef int BackupDumpFunc(void *opaque, uint64_t offset, uint64_t bytes, const void *buf);
 +
-+BlockDriverState *bdrv_backuo_dump_create(
++BlockDriverState *bdrv_backup_dump_create(
 +    int dump_cb_block_size,
 +    uint64_t byte_size,
 +    BackupDumpFunc *dump_cb,
@@ -306,16 +305,16 @@ index f4c75e8ba9..169dc43d59 100644
      BDRV_TRACKED_READ,
      BDRV_TRACKED_WRITE,
 diff --git a/job.c b/job.c
-index dbfa67bb0a..af25dd5b98 100644
+index 72d57f0934..93e22d180b 100644
 --- a/job.c
 +++ b/job.c
-@@ -276,7 +276,8 @@ static bool job_started(Job *job)
-     return job->co;
+@@ -330,7 +330,8 @@ static bool job_started_locked(Job *job)
  }
  
--static bool job_should_pause(Job *job)
-+bool job_should_pause(Job *job);
-+bool job_should_pause(Job *job)
+ /* Called with job_mutex held. */
+-static bool job_should_pause_locked(Job *job)
++bool job_should_pause_locked(Job *job);
++bool job_should_pause_locked(Job *job)
  {
      return job->pause_count > 0;
  }

debian/patches/pve/0029-PVE-Backup-proxmox-backup-patches-for-qemu.patch

@@ -7,34 +7,34 @@ Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
 [PVE-Backup: avoid coroutines to fix AIO freeze, cleanups]
 Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-[add new force parameter to job_cancel_sync calls]
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
+[FE: add new force parameter to job_cancel_sync calls
+     adapt for new job lock mechanism replacing AioContext locks]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
  block/meson.build              |   5 +
  block/monitor/block-hmp-cmds.c |  33 ++
  blockdev.c                     |   1 +
  hmp-commands-info.hx           |  14 +
  hmp-commands.hx                |  29 +
- include/block/block_int.h      |   2 +-
  include/monitor/hmp.h          |   3 +
  meson.build                    |   1 +
  monitor/hmp-cmds.c             |  44 ++
  proxmox-backup-client.c        | 176 ++++++
  proxmox-backup-client.h        |  59 ++
- pve-backup.c                   | 959 +++++++++++++++++++++++++++++++++
+ pve-backup.c                   | 956 +++++++++++++++++++++++++++++++++
  qapi/block-core.json           | 109 ++++
  qapi/common.json               |  13 +
  qapi/machine.json              |  15 +-
- 15 files changed, 1449 insertions(+), 14 deletions(-)
+ 14 files changed, 1445 insertions(+), 13 deletions(-)
  create mode 100644 proxmox-backup-client.c
  create mode 100644 proxmox-backup-client.h
  create mode 100644 pve-backup.c
 
 diff --git a/block/meson.build b/block/meson.build
-index 7883df047c..9d3dd5b7c3 100644
+index 0d7023fc82..e995ae72b9 100644
 --- a/block/meson.build
 +++ b/block/meson.build
-@@ -46,6 +46,11 @@ block_ss.add(files(
+@@ -48,6 +48,11 @@ block_ss.add(files(
  ), zstd, zlib, gnutls)
  
  block_ss.add(files('../vma-writer.c'), libuuid)
@@ -45,12 +45,12 @@ index 7883df047c..9d3dd5b7c3 100644
 +
  
  softmmu_ss.add(when: 'CONFIG_TCG', if_true: files('blkreplay.c'))
- 
+ softmmu_ss.add(files('block-ram-registrar.c'))
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index 2ac4aedfff..f6668ab01d 100644
+index cf21b5e40a..60fa93c85e 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1015,3 +1015,36 @@ void hmp_info_snapshots(Monitor *mon, const QDict *qdict)
+@@ -1017,3 +1017,36 @@ void hmp_info_snapshots(Monitor *mon, const QDict *qdict)
      g_free(sn_tab);
      g_free(global_snapshots);
  }
@@ -88,7 +88,7 @@ index 2ac4aedfff..f6668ab01d 100644
 +    hmp_handle_error(mon, error);
 +}
 diff --git a/blockdev.c b/blockdev.c
-index b35072644e..c0bc3db33e 100644
+index 5b15a86bfa..cba1078815 100644
 --- a/blockdev.c
 +++ b/blockdev.c
 @@ -36,6 +36,7 @@
@@ -100,10 +100,10 @@ index b35072644e..c0bc3db33e 100644
  #include "monitor/monitor.h"
  #include "qemu/error-report.h"
 diff --git a/hmp-commands-info.hx b/hmp-commands-info.hx
-index 245f8acc55..3e7f2421eb 100644
+index 489c524e9e..bc1d46d845 100644
 --- a/hmp-commands-info.hx
 +++ b/hmp-commands-info.hx
-@@ -482,6 +482,20 @@ SRST
+@@ -486,6 +486,20 @@ SRST
      Show the current VM UUID.
  ERST
  
@@ -125,10 +125,10 @@ index 245f8acc55..3e7f2421eb 100644
      {
          .name       = "usernet",
 diff --git a/hmp-commands.hx b/hmp-commands.hx
-index 1ad13b668b..d4bb00216e 100644
+index 039be0033d..fcf9461295 100644
 --- a/hmp-commands.hx
 +++ b/hmp-commands.hx
-@@ -99,6 +99,35 @@ ERST
+@@ -101,6 +101,35 @@ ERST
  SRST
  ``block_stream``
    Copy data from a backing file into a block device.
@@ -164,24 +164,11 @@ index 1ad13b668b..d4bb00216e 100644
  ERST
  
      {
-diff --git a/include/block/block_int.h b/include/block/block_int.h
-index 169dc43d59..92f90c43eb 100644
---- a/include/block/block_int.h
-+++ b/include/block/block_int.h
-@@ -67,7 +67,7 @@
- 
- typedef int BackupDumpFunc(void *opaque, uint64_t offset, uint64_t bytes, const void *buf);
- 
--BlockDriverState *bdrv_backuo_dump_create(
-+BlockDriverState *bdrv_backup_dump_create(
-     int dump_cb_block_size,
-     uint64_t byte_size,
-     BackupDumpFunc *dump_cb,
 diff --git a/include/monitor/hmp.h b/include/monitor/hmp.h
-index 3a39ba41b5..d269b4c99c 100644
+index 440f86aba8..350527e599 100644
 --- a/include/monitor/hmp.h
 +++ b/include/monitor/hmp.h
-@@ -30,6 +30,7 @@ void hmp_info_savevm(Monitor *mon, const QDict *qdict);
+@@ -31,6 +31,7 @@ void hmp_info_savevm(Monitor *mon, const QDict *qdict);
  void hmp_info_migrate(Monitor *mon, const QDict *qdict);
  void hmp_info_migrate_capabilities(Monitor *mon, const QDict *qdict);
  void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict);
@@ -189,7 +176,7 @@ index 3a39ba41b5..d269b4c99c 100644
  void hmp_info_cpus(Monitor *mon, const QDict *qdict);
  void hmp_info_vnc(Monitor *mon, const QDict *qdict);
  void hmp_info_spice(Monitor *mon, const QDict *qdict);
-@@ -73,6 +74,8 @@ void hmp_x_colo_lost_heartbeat(Monitor *mon, const QDict *qdict);
+@@ -74,6 +75,8 @@ void hmp_x_colo_lost_heartbeat(Monitor *mon, const QDict *qdict);
  void hmp_set_password(Monitor *mon, const QDict *qdict);
  void hmp_expire_password(Monitor *mon, const QDict *qdict);
  void hmp_change(Monitor *mon, const QDict *qdict);
@@ -199,10 +186,10 @@ index 3a39ba41b5..d269b4c99c 100644
  void hmp_device_add(Monitor *mon, const QDict *qdict);
  void hmp_device_del(Monitor *mon, const QDict *qdict);
 diff --git a/meson.build b/meson.build
-index 54c23b9567..37dab249cc 100644
+index a496f6fe10..406112d96f 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -1203,6 +1203,7 @@ keyutils = dependency('libkeyutils', required: false,
+@@ -1526,6 +1526,7 @@ keyutils = dependency('libkeyutils', required: false,
  has_gettid = cc.has_function('gettid')
  
  libuuid = cc.find_library('uuid', required: true)
@@ -211,10 +198,10 @@ index 54c23b9567..37dab249cc 100644
  # libselinux
  selinux = dependency('libselinux',
 diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
-index 5000ce39d1..b2687eae3a 100644
+index cfebfd1db5..a40b25e906 100644
 --- a/monitor/hmp-cmds.c
 +++ b/monitor/hmp-cmds.c
-@@ -195,6 +195,50 @@ void hmp_info_mice(Monitor *mon, const QDict *qdict)
+@@ -199,6 +199,50 @@ void hmp_info_mice(Monitor *mon, const QDict *qdict)
      qapi_free_MouseInfoList(mice_list);
  }
  
@@ -262,9 +249,9 @@ index 5000ce39d1..b2687eae3a 100644
 +    qapi_free_BackupStatus(info);
 +}
 +
- static char *SocketAddress_to_str(SocketAddress *addr)
+ void hmp_info_migrate(Monitor *mon, const QDict *qdict)
  {
-     switch (addr->type) {
+     MigrationInfo *info;
 diff --git a/proxmox-backup-client.c b/proxmox-backup-client.c
 new file mode 100644
 index 0000000000..a8f6653a81
@@ -514,10 +501,10 @@ index 0000000000..1dda8b7d8f
 +#endif /* PROXMOX_BACKUP_CLIENT_H */
 diff --git a/pve-backup.c b/pve-backup.c
 new file mode 100644
-index 0000000000..88f5ee133f
+index 0000000000..6af212b9b4
 --- /dev/null
 +++ b/pve-backup.c
-@@ -0,0 +1,959 @@
+@@ -0,0 +1,956 @@
 +#include "proxmox-backup-client.h"
 +#include "vma.h"
 +
@@ -595,14 +582,16 @@ index 0000000000..88f5ee133f
 +lookup_active_block_job(PVEBackupDevInfo *di)
 +{
 +    if (!di->completed && di->bs) {
-+        for (BlockJob *job = block_job_next(NULL); job; job = block_job_next(job)) {
-+            if (job->job.driver->job_type != JOB_TYPE_BACKUP) {
-+                continue;
-+            }
++        WITH_JOB_LOCK_GUARD() {
++            for (BlockJob *job = block_job_next_locked(NULL); job; job = block_job_next_locked(job)) {
++                if (job->job.driver->job_type != JOB_TYPE_BACKUP) {
++                    continue;
++                }
 +
-+            BackupBlockJob *bjob = container_of(job, BackupBlockJob, common);
-+            if (bjob && bjob->source_bs == di->bs) {
-+                return job;
++                BackupBlockJob *bjob = container_of(job, BackupBlockJob, common);
++                if (bjob && bjob->source_bs == di->bs) {
++                    return job;
++                }
 +            }
 +        }
 +    }
@@ -872,10 +861,7 @@ index 0000000000..88f5ee133f
 +        qemu_mutex_unlock(&backup_state.backup_mutex);
 +
 +        if (next_job) {
-+            AioContext *aio_context = next_job->job.aio_context;
-+            aio_context_acquire(aio_context);
 +            job_cancel_sync(&next_job->job, true);
-+            aio_context_release(aio_context);
 +        } else {
 +            break;
 +        }
@@ -937,7 +923,7 @@ index 0000000000..88f5ee133f
 +    goto out;
 +}
 +
-+bool job_should_pause(Job *job);
++bool job_should_pause_locked(Job *job);
 +
 +static void pvebackup_run_next_job(void)
 +{
@@ -955,18 +941,16 @@ index 0000000000..88f5ee133f
 +        if (job) {
 +            qemu_mutex_unlock(&backup_state.backup_mutex);
 +
-+            AioContext *aio_context = job->job.aio_context;
-+            aio_context_acquire(aio_context);
-+
-+            if (job_should_pause(&job->job)) {
-+                bool error_or_canceled = pvebackup_error_or_canceled();
-+                if (error_or_canceled) {
-+                    job_cancel_sync(&job->job, true);
-+                } else {
-+                    job_resume(&job->job);
++            WITH_JOB_LOCK_GUARD() {
++                if (job_should_pause_locked(&job->job)) {
++                    bool error_or_canceled = pvebackup_error_or_canceled();
++                    if (error_or_canceled) {
++                        job_cancel_sync_locked(&job->job, true);
++                    } else {
++                        job_resume_locked(&job->job);
++                    }
 +                }
 +            }
-+            aio_context_release(aio_context);
 +            return;
 +        }
 +    }
@@ -1150,7 +1134,7 @@ index 0000000000..88f5ee133f
 +
 +        ssize_t size = bdrv_getlength(di->bs);
 +        if (size < 0) {
-+            error_setg_errno(task->errp, -di->size, "bdrv_getlength failed");
++            error_setg_errno(task->errp, -size, "bdrv_getlength failed");
 +            goto err;
 +        }
 +        di->size = size;
@@ -1478,12 +1462,12 @@ index 0000000000..88f5ee133f
 +    return info;
 +}
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 3f81d6a5c0..551ee28275 100644
+index 9e902b96bb..c3b6b93472 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -744,6 +744,115 @@
- { 'command': 'query-block', 'returns': ['BlockInfo'] }
- 
+@@ -740,6 +740,115 @@
+ { 'command': 'query-block', 'returns': ['BlockInfo'],
+   'allow-preconfig': true }
  
 +##
 +# @BackupStatus:
@@ -1598,10 +1582,10 @@ index 3f81d6a5c0..551ee28275 100644
  # @BlockDeviceTimedStats:
  #
 diff --git a/qapi/common.json b/qapi/common.json
-index 412cc4f5ae..3e7a77ea66 100644
+index 356db3f670..aae8a3b682 100644
 --- a/qapi/common.json
 +++ b/qapi/common.json
-@@ -208,3 +208,16 @@
+@@ -206,3 +206,16 @@
  ##
  { 'struct': 'HumanReadableText',
    'data': { 'human-readable-text': 'str' } }
@@ -1619,7 +1603,7 @@ index 412cc4f5ae..3e7a77ea66 100644
 +##
 +{ 'struct': 'UuidInfo', 'data': {'UUID': 'str'} }
 diff --git a/qapi/machine.json b/qapi/machine.json
-index a05c46e253..e2cec7922f 100644
+index f4fb1b2c9c..0d6ee836ed 100644
 --- a/qapi/machine.json
 +++ b/qapi/machine.json
 @@ -4,6 +4,8 @@
@@ -1631,7 +1615,7 @@ index a05c46e253..e2cec7922f 100644
  ##
  # = Machines
  ##
-@@ -229,19 +231,6 @@
+@@ -226,19 +228,6 @@
  ##
  { 'command': 'query-target', 'returns': 'TargetInfo' }
  

debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch

@@ -7,15 +7,15 @@ Subject: [PATCH] PVE-Backup: pbs-restore - new command to restore from proxmox
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
  meson.build   |   4 +
- pbs-restore.c | 224 ++++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 228 insertions(+)
+ pbs-restore.c | 223 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 227 insertions(+)
  create mode 100644 pbs-restore.c
 
 diff --git a/meson.build b/meson.build
-index 37dab249cc..1a4dfab4e2 100644
+index 406112d96f..9c46881eb7 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -3076,6 +3076,10 @@ if have_tools
+@@ -3604,6 +3604,10 @@ if have_tools
    vma = executable('vma', files('vma.c', 'vma-reader.c') + genh,
                     dependencies: [authz, block, crypto, io, qom], install: true)
  
@@ -28,10 +28,10 @@ index 37dab249cc..1a4dfab4e2 100644
    subdir('contrib/elf2dmp')
 diff --git a/pbs-restore.c b/pbs-restore.c
 new file mode 100644
-index 0000000000..4d3f925a1b
+index 0000000000..2f834cf42e
 --- /dev/null
 +++ b/pbs-restore.c
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,223 @@
 +/*
 + * Qemu image restore helper for Proxmox Backup
 + *
@@ -50,7 +50,6 @@ index 0000000000..4d3f925a1b
 +#include <getopt.h>
 +#include <string.h>
 +
-+#include "qemu-common.h"
 +#include "qemu/module.h"
 +#include "qemu/error-report.h"
 +#include "qemu/main-loop.h"
@@ -96,7 +95,7 @@ index 0000000000..4d3f925a1b
 +        }
 +        res = blk_pwrite_zeroes(callback_data->target, offset, data_len, 0);
 +    } else {
-+        res = blk_pwrite(callback_data->target, offset, data, data_len, 0);
++        res = blk_pwrite(callback_data->target, offset, data_len, data, 0);
 +    }
 +
 +    if (res < 0) {

debian/patches/pve/0031-PVE-Backup-Add-dirty-bitmap-tracking-for-incremental.patch

@@ -29,10 +29,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  6 files changed, 142 insertions(+), 23 deletions(-)
 
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index f6668ab01d..3c06734e6d 100644
+index 60fa93c85e..8b23bdedac 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1042,6 +1042,7 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
+@@ -1044,6 +1044,7 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
          false, NULL, // PBS fingerprint
          false, NULL, // PBS backup-id
          false, 0, // PBS backup-time
@@ -41,10 +41,10 @@ index f6668ab01d..3c06734e6d 100644
          false, NULL, false, NULL, !!devlist,
          devlist, qdict_haskey(qdict, "speed"), speed, &error);
 diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
-index b2687eae3a..cfd7a60f32 100644
+index a40b25e906..670f783515 100644
 --- a/monitor/hmp-cmds.c
 +++ b/monitor/hmp-cmds.c
-@@ -221,19 +221,42 @@ void hmp_info_backup(Monitor *mon, const QDict *qdict)
+@@ -225,19 +225,42 @@ void hmp_info_backup(Monitor *mon, const QDict *qdict)
              monitor_printf(mon, "End time: %s", ctime(&info->end_time));
          }
  
@@ -132,7 +132,7 @@ index 1dda8b7d8f..8cbf645b2c 100644
  
  
 diff --git a/pve-backup.c b/pve-backup.c
-index 88f5ee133f..1c49cd178d 100644
+index 6af212b9b4..3f97cf6532 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -28,6 +28,8 @@
@@ -162,7 +162,7 @@ index 88f5ee133f..1c49cd178d 100644
      BlockDriverState *target;
  } PVEBackupDevInfo;
  
-@@ -105,11 +110,12 @@ static bool pvebackup_error_or_canceled(void)
+@@ -107,11 +112,12 @@ static bool pvebackup_error_or_canceled(void)
      return error_or_canceled;
  }
  
@@ -176,7 +176,7 @@ index 88f5ee133f..1c49cd178d 100644
      qemu_mutex_unlock(&backup_state.stat.lock);
  }
  
-@@ -148,7 +154,8 @@ pvebackup_co_dump_pbs_cb(
+@@ -150,7 +156,8 @@ pvebackup_co_dump_pbs_cb(
          pvebackup_propagate_error(local_err);
          return pbs_res;
      } else {
@@ -186,7 +186,7 @@ index 88f5ee133f..1c49cd178d 100644
      }
  
      return size;
-@@ -208,11 +215,11 @@ pvebackup_co_dump_vma_cb(
+@@ -210,11 +217,11 @@ pvebackup_co_dump_vma_cb(
          } else {
              if (remaining >= VMA_CLUSTER_SIZE) {
                  assert(ret == VMA_CLUSTER_SIZE);
@@ -200,7 +200,7 @@ index 88f5ee133f..1c49cd178d 100644
                  remaining = 0;
              }
          }
-@@ -248,6 +255,18 @@ static void coroutine_fn pvebackup_co_cleanup(void *unused)
+@@ -250,6 +257,18 @@ static void coroutine_fn pvebackup_co_cleanup(void *unused)
              if (local_err != NULL) {
                  pvebackup_propagate_error(local_err);
              }
@@ -219,7 +219,7 @@ index 88f5ee133f..1c49cd178d 100644
          }
  
          proxmox_backup_disconnect(backup_state.pbs);
-@@ -303,6 +322,12 @@ static void pvebackup_complete_cb(void *opaque, int ret)
+@@ -305,6 +324,12 @@ static void pvebackup_complete_cb(void *opaque, int ret)
      // remove self from job queue
      backup_state.di_list = g_list_remove(backup_state.di_list, di);
  
@@ -232,7 +232,7 @@ index 88f5ee133f..1c49cd178d 100644
      g_free(di);
  
      qemu_mutex_unlock(&backup_state.backup_mutex);
-@@ -472,12 +497,18 @@ static bool create_backup_jobs(void) {
+@@ -469,12 +494,18 @@ static bool create_backup_jobs(void) {
  
          assert(di->target != NULL);
  
@@ -253,7 +253,7 @@ index 88f5ee133f..1c49cd178d 100644
              JOB_DEFAULT, pvebackup_complete_cb, di, NULL, &local_err);
  
          aio_context_release(aio_context);
-@@ -528,6 +559,8 @@ typedef struct QmpBackupTask {
+@@ -525,6 +556,8 @@ typedef struct QmpBackupTask {
      const char *fingerprint;
      bool has_fingerprint;
      int64_t backup_time;
@@ -262,7 +262,7 @@ index 88f5ee133f..1c49cd178d 100644
      bool has_format;
      BackupFormat format;
      bool has_config_file;
-@@ -619,6 +652,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -616,6 +649,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      }
  
      size_t total = 0;
@@ -270,7 +270,7 @@ index 88f5ee133f..1c49cd178d 100644
  
      l = di_list;
      while (l) {
-@@ -656,6 +690,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -653,6 +687,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
          int dump_cb_block_size = PROXMOX_BACKUP_DEFAULT_CHUNK_SIZE; // Hardcoded (4M)
          firewall_name = "fw.conf";
  
@@ -279,7 +279,7 @@ index 88f5ee133f..1c49cd178d 100644
          char *pbs_err = NULL;
          pbs = proxmox_backup_new(
              task->backup_file,
-@@ -675,7 +711,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -672,7 +708,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              goto err;
          }
  
@@ -289,7 +289,7 @@ index 88f5ee133f..1c49cd178d 100644
              goto err;
  
          /* register all devices */
-@@ -686,9 +723,40 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -683,9 +720,40 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
  
              const char *devname = bdrv_get_device_name(di->bs);
  
@@ -332,7 +332,7 @@ index 88f5ee133f..1c49cd178d 100644
  
              if (!(di->target = bdrv_backup_dump_create(dump_cb_block_size, di->size, pvebackup_co_dump_pbs_cb, di, task->errp))) {
                  goto err;
-@@ -697,6 +765,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -694,6 +762,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              di->dev_id = dev_id;
          }
      } else if (format == BACKUP_FORMAT_VMA) {
@@ -341,7 +341,7 @@ index 88f5ee133f..1c49cd178d 100644
          vmaw = vma_writer_create(task->backup_file, uuid, &local_err);
          if (!vmaw) {
              if (local_err) {
-@@ -724,6 +794,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -721,6 +791,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              }
          }
      } else if (format == BACKUP_FORMAT_DIR) {
@@ -350,7 +350,7 @@ index 88f5ee133f..1c49cd178d 100644
          if (mkdir(task->backup_file, 0640) != 0) {
              error_setg_errno(task->errp, errno, "can't create directory '%s'\n",
                               task->backup_file);
-@@ -796,8 +868,10 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -793,8 +865,10 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      char *uuid_str = g_strdup(backup_state.stat.uuid_str);
  
      backup_state.stat.total = total;
@@ -361,7 +361,7 @@ index 88f5ee133f..1c49cd178d 100644
  
      qemu_mutex_unlock(&backup_state.stat.lock);
  
-@@ -821,6 +895,10 @@ err:
+@@ -818,6 +892,10 @@ err:
          PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
          l = g_list_next(l);
  
@@ -372,7 +372,7 @@ index 88f5ee133f..1c49cd178d 100644
          if (di->target) {
              bdrv_unref(di->target);
          }
-@@ -862,6 +940,7 @@ UuidInfo *qmp_backup(
+@@ -859,6 +937,7 @@ UuidInfo *qmp_backup(
      bool has_fingerprint, const char *fingerprint,
      bool has_backup_id, const char *backup_id,
      bool has_backup_time, int64_t backup_time,
@@ -380,7 +380,7 @@ index 88f5ee133f..1c49cd178d 100644
      bool has_format, BackupFormat format,
      bool has_config_file, const char *config_file,
      bool has_firewall_file, const char *firewall_file,
-@@ -880,6 +959,8 @@ UuidInfo *qmp_backup(
+@@ -877,6 +956,8 @@ UuidInfo *qmp_backup(
          .backup_id = backup_id,
          .has_backup_time = has_backup_time,
          .backup_time = backup_time,
@@ -389,7 +389,7 @@ index 88f5ee133f..1c49cd178d 100644
          .has_format = has_format,
          .format = format,
          .has_config_file = has_config_file,
-@@ -948,10 +1029,14 @@ BackupStatus *qmp_query_backup(Error **errp)
+@@ -945,10 +1026,14 @@ BackupStatus *qmp_query_backup(Error **errp)
  
      info->has_total = true;
      info->total = backup_state.stat.total;
@@ -405,10 +405,10 @@ index 88f5ee133f..1c49cd178d 100644
      qemu_mutex_unlock(&backup_state.stat.lock);
  
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 551ee28275..b9d6f52f0c 100644
+index c3b6b93472..992e6c1e3f 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -757,8 +757,13 @@
+@@ -753,8 +753,13 @@
  #
  # @total: total amount of bytes involved in the backup process
  #
@@ -422,7 +422,7 @@ index 551ee28275..b9d6f52f0c 100644
  # @zero-bytes: amount of 'zero' bytes detected.
  #
  # @start-time: time (epoch) when backup job started.
-@@ -771,8 +776,8 @@
+@@ -767,8 +772,8 @@
  #
  ##
  { 'struct': 'BackupStatus',
@@ -433,7 +433,7 @@ index 551ee28275..b9d6f52f0c 100644
             '*start-time': 'int', '*end-time': 'int',
             '*backup-file': 'str', '*uuid': 'str' } }
  
-@@ -815,6 +820,8 @@
+@@ -811,6 +816,8 @@
  #
  # @backup-time: backup timestamp (Unix epoch, required for format 'pbs')
  #
@@ -442,7 +442,7 @@ index 551ee28275..b9d6f52f0c 100644
  # Returns: the uuid of the backup job
  #
  ##
-@@ -825,6 +832,7 @@
+@@ -821,6 +828,7 @@
                                      '*fingerprint': 'str',
                                      '*backup-id': 'str',
                                      '*backup-time': 'int',

debian/patches/pve/0032-PVE-various-PBS-fixes.patch

@@ -19,10 +19,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  3 files changed, 54 insertions(+), 13 deletions(-)
 
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index 3c06734e6d..4481b60a5c 100644
+index 8b23bdedac..f59b02592e 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1042,7 +1042,9 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
+@@ -1044,7 +1044,9 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
          false, NULL, // PBS fingerprint
          false, NULL, // PBS backup-id
          false, 0, // PBS backup-time
@@ -34,7 +34,7 @@ index 3c06734e6d..4481b60a5c 100644
          false, NULL, false, NULL, !!devlist,
          devlist, qdict_haskey(qdict, "speed"), speed, &error);
 diff --git a/pve-backup.c b/pve-backup.c
-index 1c49cd178d..c15abefdda 100644
+index 3f97cf6532..a275a1d4e1 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -8,6 +8,7 @@
@@ -53,7 +53,7 @@ index 1c49cd178d..c15abefdda 100644
      uint8_t dev_id;
      bool completed;
      char targetfile[PATH_MAX];
-@@ -135,10 +137,13 @@ pvebackup_co_dump_pbs_cb(
+@@ -137,10 +139,13 @@ pvebackup_co_dump_pbs_cb(
      PVEBackupDevInfo *di = opaque;
  
      assert(backup_state.pbs);
@@ -67,7 +67,7 @@ index 1c49cd178d..c15abefdda 100644
      qemu_co_mutex_lock(&backup_state.dump_callback_mutex);
  
      // avoid deadlock if job is cancelled
-@@ -147,17 +152,29 @@ pvebackup_co_dump_pbs_cb(
+@@ -149,17 +154,29 @@ pvebackup_co_dump_pbs_cb(
          return -1;
      }
  
@@ -105,7 +105,7 @@ index 1c49cd178d..c15abefdda 100644
      return size;
  }
  
-@@ -178,6 +195,7 @@ pvebackup_co_dump_vma_cb(
+@@ -180,6 +197,7 @@ pvebackup_co_dump_vma_cb(
      int ret = -1;
  
      assert(backup_state.vmaw);
@@ -113,7 +113,7 @@ index 1c49cd178d..c15abefdda 100644
  
      uint64_t remaining = size;
  
-@@ -204,9 +222,7 @@ pvebackup_co_dump_vma_cb(
+@@ -206,9 +224,7 @@ pvebackup_co_dump_vma_cb(
          qemu_co_mutex_unlock(&backup_state.dump_callback_mutex);
  
          ++cluster_num;
@@ -124,7 +124,7 @@ index 1c49cd178d..c15abefdda 100644
          if (ret < 0) {
              Error *local_err = NULL;
              vma_writer_error_propagate(backup_state.vmaw, &local_err);
-@@ -569,6 +585,10 @@ typedef struct QmpBackupTask {
+@@ -566,6 +582,10 @@ typedef struct QmpBackupTask {
      const char *firewall_file;
      bool has_devlist;
      const char *devlist;
@@ -135,7 +135,7 @@ index 1c49cd178d..c15abefdda 100644
      bool has_speed;
      int64_t speed;
      Error **errp;
-@@ -692,6 +712,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -689,6 +709,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
  
          bool use_dirty_bitmap = task->has_use_dirty_bitmap && task->use_dirty_bitmap;
  
@@ -143,7 +143,7 @@ index 1c49cd178d..c15abefdda 100644
          char *pbs_err = NULL;
          pbs = proxmox_backup_new(
              task->backup_file,
-@@ -701,8 +722,10 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -698,8 +719,10 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              task->has_password ? task->password : NULL,
              task->has_keyfile ? task->keyfile : NULL,
              task->has_key_password ? task->key_password : NULL,
@@ -155,7 +155,7 @@ index 1c49cd178d..c15abefdda 100644
  
          if (!pbs) {
              error_set(task->errp, ERROR_CLASS_GENERIC_ERROR,
-@@ -721,6 +744,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -718,6 +741,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
              l = g_list_next(l);
  
@@ -164,7 +164,7 @@ index 1c49cd178d..c15abefdda 100644
              const char *devname = bdrv_get_device_name(di->bs);
  
              BdrvDirtyBitmap *bitmap = bdrv_find_dirty_bitmap(di->bs, PBS_BITMAP_NAME);
-@@ -941,6 +966,8 @@ UuidInfo *qmp_backup(
+@@ -938,6 +963,8 @@ UuidInfo *qmp_backup(
      bool has_backup_id, const char *backup_id,
      bool has_backup_time, int64_t backup_time,
      bool has_use_dirty_bitmap, bool use_dirty_bitmap,
@@ -173,7 +173,7 @@ index 1c49cd178d..c15abefdda 100644
      bool has_format, BackupFormat format,
      bool has_config_file, const char *config_file,
      bool has_firewall_file, const char *firewall_file,
-@@ -951,6 +978,8 @@ UuidInfo *qmp_backup(
+@@ -948,6 +975,8 @@ UuidInfo *qmp_backup(
          .backup_file = backup_file,
          .has_password = has_password,
          .password = password,
@@ -182,7 +182,7 @@ index 1c49cd178d..c15abefdda 100644
          .has_key_password = has_key_password,
          .key_password = key_password,
          .has_fingerprint = has_fingerprint,
-@@ -961,6 +990,10 @@ UuidInfo *qmp_backup(
+@@ -958,6 +987,10 @@ UuidInfo *qmp_backup(
          .backup_time = backup_time,
          .has_use_dirty_bitmap = has_use_dirty_bitmap,
          .use_dirty_bitmap = use_dirty_bitmap,
@@ -194,10 +194,10 @@ index 1c49cd178d..c15abefdda 100644
          .format = format,
          .has_config_file = has_config_file,
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index b9d6f52f0c..5d8e2eb303 100644
+index 992e6c1e3f..5ac6276dc1 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -822,6 +822,10 @@
+@@ -818,6 +818,10 @@
  #
  # @use-dirty-bitmap: use dirty bitmap to detect incremental changes since last job (optional for format 'pbs')
  #
@@ -208,7 +208,7 @@ index b9d6f52f0c..5d8e2eb303 100644
  # Returns: the uuid of the backup job
  #
  ##
-@@ -833,6 +837,8 @@
+@@ -829,6 +833,8 @@
                                      '*backup-id': 'str',
                                      '*backup-time': 'int',
                                      '*use-dirty-bitmap': 'bool',

debian/patches/pve/0033-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch

@@ -7,22 +7,24 @@ Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
 [error cleanups, file_open implementation]
 Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-[adapt to changed function signatures]
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
+[FE: adapt to changed function signatures
+     make pbs_co_preadv return values consistent with QEMU]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
  block/meson.build    |   3 +
  block/pbs.c          | 276 +++++++++++++++++++++++++++++++++++++++++++
  configure            |   9 ++
- meson.build          |   1 +
+ meson.build          |   2 +-
  qapi/block-core.json |  13 ++
- 5 files changed, 302 insertions(+)
+ qapi/pragma.json     |   1 +
+ 6 files changed, 303 insertions(+), 1 deletion(-)
  create mode 100644 block/pbs.c
 
 diff --git a/block/meson.build b/block/meson.build
-index 9d3dd5b7c3..8c758c0218 100644
+index e995ae72b9..7ef2fa72d5 100644
 --- a/block/meson.build
 +++ b/block/meson.build
-@@ -51,6 +51,9 @@ block_ss.add(files(
+@@ -53,6 +53,9 @@ block_ss.add(files(
    '../pve-backup.c',
  ), libproxmox_backup_qemu)
  
@@ -31,10 +33,10 @@ index 9d3dd5b7c3..8c758c0218 100644
 +
  
  softmmu_ss.add(when: 'CONFIG_TCG', if_true: files('blkreplay.c'))
- 
+ softmmu_ss.add(files('block-ram-registrar.c'))
 diff --git a/block/pbs.c b/block/pbs.c
 new file mode 100644
-index 0000000000..0b05ea9080
+index 0000000000..9d1f1f39d4
 --- /dev/null
 +++ b/block/pbs.c
 @@ -0,0 +1,276 @@
@@ -244,7 +246,7 @@ index 0000000000..0b05ea9080
 +
 +    if (offset < 0 || bytes < 0) {
 +        fprintf(stderr, "unexpected negative 'offset' or 'bytes' value!\n");
-+        return -EINVAL;
++        return -EIO;
 +    }
 +
 +    ReadCallbackData rcb = {
@@ -266,7 +268,7 @@ index 0000000000..0b05ea9080
 +    qemu_iovec_from_buf(qiov, 0, buf, bytes);
 +    free(buf);
 +
-+    return ret;
++    return 0;
 +}
 +
 +static coroutine_fn int pbs_co_pwritev(BlockDriverState *bs,
@@ -315,71 +317,72 @@ index 0000000000..0b05ea9080
 +
 +block_init(bdrv_pbs_init);
 diff --git a/configure b/configure
-index 48c21775f3..eda4e9225a 100755
+index 5f1828f1ec..c9b70b5e9a 100755
 --- a/configure
 +++ b/configure
-@@ -356,6 +356,7 @@ vdi=${default_feature:-yes}
- vvfat=${default_feature:-yes}
- qed=${default_feature:-yes}
- parallels=${default_feature:-yes}
+@@ -285,6 +285,7 @@ linux_user=""
+ bsd_user=""
+ pie=""
+ coroutine=""
 +pbs_bdrv="yes"
- debug_mutex="no"
  plugins="$default_feature"
- rng_none="no"
-@@ -1126,6 +1127,10 @@ for opt do
-   ;;
-   --enable-parallels) parallels="yes"
+ meson=""
+ ninja=""
+@@ -864,6 +865,10 @@ for opt do
+   --enable-uuid|--disable-uuid)
+       echo "$0: $opt is obsolete, UUID support is always built" >&2
    ;;
 +  --disable-pbs-bdrv) pbs_bdrv="no"
 +  ;;
 +  --enable-pbs-bdrv) pbs_bdrv="yes"
 +  ;;
-   --disable-vhost-user) vhost_user="no"
+   --with-git=*) git="$optarg"
    ;;
-   --enable-vhost-user) vhost_user="yes"
-@@ -1465,6 +1470,7 @@ cat << EOF
-   vvfat           vvfat image format support
-   qed             qed image format support
-   parallels       parallels image format support
+   --with-git-submodules=*)
+@@ -1049,6 +1054,7 @@ cat << EOF
+   debug-info      debugging information
+   safe-stack      SafeStack Stack Smash Protection. Depends on
+                   clang/llvm >= 3.7 and requires coroutine backend ucontext.
 +  pbs-bdrv        Proxmox backup server read-only block driver support
-   crypto-afalg    Linux AF_ALG crypto backend driver
-   debug-mutex     mutex debugging support
-   rng-none        dummy RNG, avoid using /dev/(u)random and getrandom()
-@@ -3534,6 +3540,9 @@ if test "$xen" = "enabled" ; then
-   echo "XEN_CFLAGS=$xen_cflags" >> $config_host_mak
-   echo "XEN_LIBS=$xen_libs" >> $config_host_mak
+ 
+ NOTE: The object files are built at the place where configure is launched
+ EOF
+@@ -2372,6 +2378,9 @@ echo "TARGET_DIRS=$target_list" >> $config_host_mak
+ if test "$modules" = "yes"; then
+   echo "CONFIG_MODULES=y" >> $config_host_mak
  fi
 +if test "$pbs_bdrv" = "yes" ; then
 +  echo "CONFIG_PBS_BDRV=y" >> $config_host_mak
 +fi
- if test "$vhost_scsi" = "yes" ; then
-   echo "CONFIG_VHOST_SCSI=y" >> $config_host_mak
- fi
+ 
+ # XXX: suppress that
+ if [ "$bsd" = "yes" ] ; then
 diff --git a/meson.build b/meson.build
-index 1a4dfab4e2..85b3c63199 100644
+index 9c46881eb7..93ebda47af 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -3448,6 +3448,7 @@ summary_info += {'lzfse support':     liblzfse}
+@@ -3980,7 +3980,7 @@ summary_info += {'bzip2 support':     libbzip2}
+ summary_info += {'lzfse support':     liblzfse}
  summary_info += {'zstd support':      zstd}
- summary_info += {'NUMA host support': config_host.has_key('CONFIG_NUMA')}
- summary_info += {'libxml2':           libxml2}
+ summary_info += {'NUMA host support': numa}
+-summary_info += {'capstone':          capstone}
 +summary_info += {'PBS bdrv support':  config_host.has_key('CONFIG_PBS_BDRV')}
- summary_info += {'capstone':          capstone_opt == 'internal' ? capstone_opt : capstone}
  summary_info += {'libpmem support':   libpmem}
  summary_info += {'libdaxctl support': libdaxctl}
+ summary_info += {'libudev':           libudev}
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 5d8e2eb303..777863e33b 100644
+index 5ac6276dc1..45b63dfe26 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -3053,6 +3053,7 @@
-             'luks', 'nbd', 'nfs', 'null-aio', 'null-co', 'nvme', 'parallels',
-             'preallocate', 'qcow', 'qcow2', 'qed', 'quorum', 'raw', 'rbd',
+@@ -3103,6 +3103,7 @@
+             'parallels', 'preallocate', 'qcow', 'qcow2', 'qed', 'quorum',
+             'raw', 'rbd',
              { 'name': 'replication', 'if': 'CONFIG_REPLICATION' },
 +            'pbs',
-             'ssh', 'throttle', 'vdi', 'vhdx', 'vmdk', 'vpc', 'vvfat' ] }
- 
- ##
-@@ -3125,6 +3126,17 @@
+             'ssh', 'throttle', 'vdi', 'vhdx',
+             { 'name': 'virtio-blk-vfio-pci', 'if': 'CONFIG_BLKIO' },
+             { 'name': 'virtio-blk-vhost-user', 'if': 'CONFIG_BLKIO' },
+@@ -3179,6 +3180,17 @@
  { 'struct': 'BlockdevOptionsNull',
    'data': { '*size': 'int', '*latency-ns': 'uint64', '*read-zeroes': 'bool' } }
  
@@ -397,11 +400,23 @@ index 5d8e2eb303..777863e33b 100644
  ##
  # @BlockdevOptionsNVMe:
  #
-@@ -4367,6 +4379,7 @@
+@@ -4531,6 +4543,7 @@
        'nfs':        'BlockdevOptionsNfs',
        'null-aio':   'BlockdevOptionsNull',
        'null-co':    'BlockdevOptionsNull',
 +      'pbs':        'BlockdevOptionsPbs',
        'nvme':       'BlockdevOptionsNVMe',
-       'parallels':  'BlockdevOptionsGenericFormat',
-       'preallocate':'BlockdevOptionsPreallocate',
+       'nvme-io_uring': { 'type': 'BlockdevOptionsNvmeIoUring',
+                          'if': 'CONFIG_BLKIO' },
+diff --git a/qapi/pragma.json b/qapi/pragma.json
+index f2097b9020..5ab1890519 100644
+--- a/qapi/pragma.json
++++ b/qapi/pragma.json
+@@ -47,6 +47,7 @@
+         'BlockInfo',                # query-block
+         'BlockdevAioOptions',       # blockdev-add, -blockdev
+         'BlockdevDriver',           # blockdev-add, query-blockstats, ...
++        'BlockdevOptionsPbs',       # for PBS backwards compat
+         'BlockdevVmdkAdapterType',  # blockdev-create (to match VMDK spec)
+         'BlockdevVmdkSubformat',    # blockdev-create (to match VMDK spec)
+         'ColoCompareProperties',    # object_add, -object

debian/patches/pve/0034-PVE-add-query_proxmox_support-QMP-command.patch

@@ -16,10 +16,10 @@ Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
  2 files changed, 38 insertions(+)
 
 diff --git a/pve-backup.c b/pve-backup.c
-index c15abefdda..4684789813 100644
+index a275a1d4e1..b10373cd8a 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
-@@ -1075,3 +1075,12 @@ BackupStatus *qmp_query_backup(Error **errp)
+@@ -1072,3 +1072,12 @@ BackupStatus *qmp_query_backup(Error **errp)
  
      return info;
  }
@@ -33,10 +33,10 @@ index c15abefdda..4684789813 100644
 +    return ret;
 +}
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 777863e33b..cfd980b70f 100644
+index 45b63dfe26..8b0e0d92de 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -867,6 +867,35 @@
+@@ -863,6 +863,35 @@
  ##
  { 'command': 'backup-cancel' }
  

debian/patches/pve/0035-PVE-add-query-pbs-bitmap-info-QMP-call.patch

@@ -15,10 +15,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  3 files changed, 159 insertions(+), 42 deletions(-)
 
 diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
-index cfd7a60f32..b613190a3c 100644
+index 670f783515..d819e5fc36 100644
 --- a/monitor/hmp-cmds.c
 +++ b/monitor/hmp-cmds.c
-@@ -198,6 +198,7 @@ void hmp_info_mice(Monitor *mon, const QDict *qdict)
+@@ -202,6 +202,7 @@ void hmp_info_mice(Monitor *mon, const QDict *qdict)
  void hmp_info_backup(Monitor *mon, const QDict *qdict)
  {
      BackupStatus *info;
@@ -26,7 +26,7 @@ index cfd7a60f32..b613190a3c 100644
  
      info = qmp_query_backup(NULL);
  
-@@ -228,26 +229,29 @@ void hmp_info_backup(Monitor *mon, const QDict *qdict)
+@@ -232,26 +233,29 @@ void hmp_info_backup(Monitor *mon, const QDict *qdict)
              // this should not happen normally
              monitor_printf(mon, "Total size: %d\n", 0);
          } else {
@@ -69,7 +69,7 @@ index cfd7a60f32..b613190a3c 100644
                             info->zero_bytes, zero_per);
  
 diff --git a/pve-backup.c b/pve-backup.c
-index 4684789813..f90abaa50a 100644
+index b10373cd8a..8ae50e06c3 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -46,6 +46,7 @@ static struct PVEBackupState {
@@ -80,7 +80,7 @@ index 4684789813..f90abaa50a 100644
      } stat;
      int64_t speed;
      VmaWriter *vmaw;
-@@ -672,7 +673,6 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -669,7 +670,6 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      }
  
      size_t total = 0;
@@ -88,7 +88,7 @@ index 4684789813..f90abaa50a 100644
  
      l = di_list;
      while (l) {
-@@ -693,18 +693,33 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -690,18 +690,33 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
  
      uuid_generate(uuid);
  
@@ -125,7 +125,7 @@ index 4684789813..f90abaa50a 100644
          }
  
          int dump_cb_block_size = PROXMOX_BACKUP_DEFAULT_CHUNK_SIZE; // Hardcoded (4M)
-@@ -731,12 +746,12 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -728,12 +743,12 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              error_set(task->errp, ERROR_CLASS_GENERIC_ERROR,
                        "proxmox_backup_new failed: %s", pbs_err);
              proxmox_backup_free_error(pbs_err);
@@ -140,7 +140,7 @@ index 4684789813..f90abaa50a 100644
  
          /* register all devices */
          l = di_list;
-@@ -747,6 +762,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -744,6 +759,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              di->block_size = dump_cb_block_size;
  
              const char *devname = bdrv_get_device_name(di->bs);
@@ -149,7 +149,7 @@ index 4684789813..f90abaa50a 100644
  
              BdrvDirtyBitmap *bitmap = bdrv_find_dirty_bitmap(di->bs, PBS_BITMAP_NAME);
              bool expect_only_dirty = false;
-@@ -755,49 +772,59 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -752,49 +769,59 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
                  if (bitmap == NULL) {
                      bitmap = bdrv_create_dirty_bitmap(di->bs, dump_cb_block_size, PBS_BITMAP_NAME, task->errp);
                      if (!bitmap) {
@@ -219,7 +219,7 @@ index 4684789813..f90abaa50a 100644
          }
  
          /* register all devices for vma writer */
-@@ -807,7 +834,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -804,7 +831,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              l = g_list_next(l);
  
              if (!(di->target = bdrv_backup_dump_create(VMA_CLUSTER_SIZE, di->size, pvebackup_co_dump_vma_cb, di, task->errp))) {
@@ -228,7 +228,7 @@ index 4684789813..f90abaa50a 100644
              }
  
              const char *devname = bdrv_get_device_name(di->bs);
-@@ -815,16 +842,14 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -812,16 +839,14 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              if (di->dev_id <= 0) {
                  error_set(task->errp, ERROR_CLASS_GENERIC_ERROR,
                            "register_stream failed");
@@ -247,7 +247,7 @@ index 4684789813..f90abaa50a 100644
          }
          backup_dir = task->backup_file;
  
-@@ -841,18 +866,18 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -838,18 +863,18 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
                              di->size, flags, false, &local_err);
              if (local_err) {
                  error_propagate(task->errp, local_err);
@@ -269,7 +269,7 @@ index 4684789813..f90abaa50a 100644
      }
  
  
-@@ -860,7 +885,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -857,7 +882,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      if (task->has_config_file) {
          if (pvebackup_co_add_config(task->config_file, config_name, format, backup_dir,
                                      vmaw, pbs, task->errp) != 0) {
@@ -278,7 +278,7 @@ index 4684789813..f90abaa50a 100644
          }
      }
  
-@@ -868,12 +893,11 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -865,12 +890,11 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      if (task->has_firewall_file) {
          if (pvebackup_co_add_config(task->firewall_file, firewall_name, format, backup_dir,
                                      vmaw, pbs, task->errp) != 0) {
@@ -293,7 +293,7 @@ index 4684789813..f90abaa50a 100644
  
      if (backup_state.stat.error) {
          error_free(backup_state.stat.error);
-@@ -893,10 +917,9 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -890,10 +914,9 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      char *uuid_str = g_strdup(backup_state.stat.uuid_str);
  
      backup_state.stat.total = total;
@@ -305,7 +305,7 @@ index 4684789813..f90abaa50a 100644
  
      qemu_mutex_unlock(&backup_state.stat.lock);
  
-@@ -913,6 +936,9 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -910,6 +933,9 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      task->result = uuid_info;
      return;
  
@@ -315,7 +315,7 @@ index 4684789813..f90abaa50a 100644
  err:
  
      l = di_list;
-@@ -1076,11 +1102,42 @@ BackupStatus *qmp_query_backup(Error **errp)
+@@ -1073,11 +1099,42 @@ BackupStatus *qmp_query_backup(Error **errp)
      return info;
  }
  
@@ -359,10 +359,10 @@ index 4684789813..f90abaa50a 100644
      return ret;
  }
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index cfd980b70f..8833060385 100644
+index 8b0e0d92de..7fde927621 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -875,6 +875,8 @@
+@@ -871,6 +871,8 @@
  # @pbs-dirty-bitmap: True if dirty-bitmap-incremental backups to PBS are
  #                    supported.
  #
@@ -371,7 +371,7 @@ index cfd980b70f..8833060385 100644
  # @pbs-dirty-bitmap-savevm: True if 'dirty-bitmaps' migration capability can
  #                           safely be set for savevm-async.
  #
-@@ -883,6 +885,7 @@
+@@ -879,6 +881,7 @@
  ##
  { 'struct': 'ProxmoxSupportStatus',
    'data': { 'pbs-dirty-bitmap': 'bool',
@@ -379,7 +379,7 @@ index cfd980b70f..8833060385 100644
              'pbs-dirty-bitmap-savevm': 'bool',
              'pbs-library-version': 'str' } }
  
-@@ -896,6 +899,59 @@
+@@ -892,6 +895,59 @@
  ##
  { 'command': 'query-proxmox-support', 'returns': 'ProxmoxSupportStatus' }
  

debian/patches/pve/0036-PVE-redirect-stderr-to-journal-when-daemonized.patch

@@ -14,10 +14,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 7 insertions(+), 2 deletions(-)
 
 diff --git a/meson.build b/meson.build
-index 85b3c63199..31ba7d70d6 100644
+index 93ebda47af..d47ce5fe64 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -1203,6 +1203,7 @@ keyutils = dependency('libkeyutils', required: false,
+@@ -1526,6 +1526,7 @@ keyutils = dependency('libkeyutils', required: false,
  has_gettid = cc.has_function('gettid')
  
  libuuid = cc.find_library('uuid', required: true)
@@ -25,7 +25,7 @@ index 85b3c63199..31ba7d70d6 100644
  libproxmox_backup_qemu = cc.find_library('proxmox_backup_qemu', required: true)
  
  # libselinux
-@@ -2571,6 +2572,7 @@ if have_block
+@@ -3094,6 +3095,7 @@ if have_block
    # os-posix.c contains POSIX-specific functions used by qemu-storage-daemon,
    # os-win32.c does not
    blockdev_ss.add(when: 'CONFIG_POSIX', if_true: files('os-posix.c'))
@@ -34,7 +34,7 @@ index 85b3c63199..31ba7d70d6 100644
  endif
  
 diff --git a/os-posix.c b/os-posix.c
-index ae6c9f2a5e..36807806bf 100644
+index 4858650c3e..c5cb12226a 100644
 --- a/os-posix.c
 +++ b/os-posix.c
 @@ -28,6 +28,8 @@
@@ -44,15 +44,15 @@ index ae6c9f2a5e..36807806bf 100644
 +#include <systemd/sd-journal.h>
 +#include <syslog.h>
  
- #include "qemu-common.h"
  /* Needed early for CONFIG_BSD etc. */
-@@ -291,9 +293,10 @@ void os_setup_post(void)
+ #include "net/slirp.h"
+@@ -287,9 +289,10 @@ void os_setup_post(void)
  
          dup2(fd, 0);
          dup2(fd, 1);
 -        /* In case -D is given do not redirect stderr to /dev/null */
 +        /* In case -D is given do not redirect stderr to journal */
-         if (!qemu_logfile) {
+         if (!qemu_log_enabled()) {
 -            dup2(fd, 2);
 +            int journal_fd = sd_journal_stream_fd("QEMU", LOG_ERR, 0);
 +            dup2(journal_fd, 2);

debian/patches/pve/0037-PVE-Add-sequential-job-transaction-support.patch

@@ -7,14 +7,14 @@ Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
  include/qemu/job.h | 12 ++++++++++++
- job.c              | 31 +++++++++++++++++++++++++++++++
- 2 files changed, 43 insertions(+)
+ job.c              | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
 
 diff --git a/include/qemu/job.h b/include/qemu/job.h
-index 6e67b6977f..60376c99ee 100644
+index e502787dd8..963cf2bef5 100644
 --- a/include/qemu/job.h
 +++ b/include/qemu/job.h
-@@ -294,6 +294,18 @@ typedef enum JobCreateFlags {
+@@ -381,6 +381,18 @@ void job_unlock(void);
   */
  JobTxn *job_txn_new(void);
  
@@ -34,10 +34,10 @@ index 6e67b6977f..60376c99ee 100644
   * Release a reference that was previously acquired with job_txn_add_job or
   * job_txn_new. If it's the last reference to the object, it will be freed.
 diff --git a/job.c b/job.c
-index af25dd5b98..d0d152e697 100644
+index 93e22d180b..2b31f1e14f 100644
 --- a/job.c
 +++ b/job.c
-@@ -72,6 +72,8 @@ struct JobTxn {
+@@ -93,6 +93,8 @@ struct JobTxn {
  
      /* Reference count */
      int refcnt;
@@ -45,8 +45,8 @@ index af25dd5b98..d0d152e697 100644
 +    bool sequential;
  };
  
- /* Right now, this mutex is only needed to synchronize accesses to job->busy
-@@ -102,6 +104,25 @@ JobTxn *job_txn_new(void)
+ void job_lock(void)
+@@ -118,6 +120,25 @@ JobTxn *job_txn_new(void)
      return txn;
  }
  
@@ -69,20 +69,23 @@ index af25dd5b98..d0d152e697 100644
 +    job_start(first);
 +}
 +
- static void job_txn_ref(JobTxn *txn)
+ /* Called with job_mutex held. */
+ static void job_txn_ref_locked(JobTxn *txn)
  {
-     txn->refcnt++;
-@@ -888,6 +909,9 @@ static void job_completed_txn_success(Job *job)
+@@ -1057,6 +1078,12 @@ static void job_completed_txn_success_locked(Job *job)
       */
      QLIST_FOREACH(other_job, &txn->jobs, txn_list) {
-         if (!job_is_completed(other_job)) {
+         if (!job_is_completed_locked(other_job)) {
 +            if (txn->sequential) {
++                job_unlock();
++                /* Needs to be called without holding the job lock */
 +                job_start(other_job);
++                job_lock();
 +            }
              return;
          }
          assert(other_job->ret == 0);
-@@ -1082,6 +1106,13 @@ int job_finish_sync(Job *job, void (*finish)(Job *, Error **errp), Error **errp)
+@@ -1268,6 +1295,13 @@ int job_finish_sync_locked(Job *job,
          return -EBUSY;
      }
  
@@ -90,9 +93,9 @@ index af25dd5b98..d0d152e697 100644
 +     * of cancelling, these have not begun work so job_enter won't do anything,
 +     * let's ensure they are marked as ABORTING if required */
 +    if (job->status == JOB_STATUS_CREATED && job->txn->sequential) {
-+        job_update_rc(job);
++        job_update_rc_locked(job);
 +    }
 +
-     AIO_WAIT_WHILE(job->aio_context,
-                    (job_enter(job), !job_is_completed(job)));
- 
+     job_unlock();
+     AIO_WAIT_WHILE_UNLOCKED(job->aio_context,
+                             (job_enter(job), !job_is_completed(job)));

debian/patches/pve/0038-PVE-Backup-Use-a-transaction-to-synchronize-job-stat.patch

@@ -12,14 +12,15 @@ transaction, so drives will still be backed up one after the other.
 
 Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-[add new force parameter to job_cancel_sync calls]
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
+[FE: add new force parameter to job_cancel_sync calls
+     adapt for new job lock mechanism replacing AioContext locks]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
- pve-backup.c | 167 +++++++++++++++------------------------------------
- 1 file changed, 49 insertions(+), 118 deletions(-)
+ pve-backup.c | 163 ++++++++++++++++-----------------------------------
+ 1 file changed, 50 insertions(+), 113 deletions(-)
 
 diff --git a/pve-backup.c b/pve-backup.c
-index f90abaa50a..63c686463f 100644
+index 8ae50e06c3..eedac335ec 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -52,6 +52,7 @@ static struct PVEBackupState {
@@ -30,7 +31,7 @@ index f90abaa50a..63c686463f 100644
      QemuMutex backup_mutex;
      CoMutex dump_callback_mutex;
  } backup_state;
-@@ -71,32 +72,12 @@ typedef struct PVEBackupDevInfo {
+@@ -71,34 +72,12 @@ typedef struct PVEBackupDevInfo {
      size_t size;
      uint64_t block_size;
      uint8_t dev_id;
@@ -47,14 +48,16 @@ index f90abaa50a..63c686463f 100644
 -lookup_active_block_job(PVEBackupDevInfo *di)
 -{
 -    if (!di->completed && di->bs) {
--        for (BlockJob *job = block_job_next(NULL); job; job = block_job_next(job)) {
--            if (job->job.driver->job_type != JOB_TYPE_BACKUP) {
--                continue;
--            }
+-        WITH_JOB_LOCK_GUARD() {
+-            for (BlockJob *job = block_job_next_locked(NULL); job; job = block_job_next_locked(job)) {
+-                if (job->job.driver->job_type != JOB_TYPE_BACKUP) {
+-                    continue;
+-                }
 -
--            BackupBlockJob *bjob = container_of(job, BackupBlockJob, common);
--            if (bjob && bjob->source_bs == di->bs) {
--                return job;
+-                BackupBlockJob *bjob = container_of(job, BackupBlockJob, common);
+-                if (bjob && bjob->source_bs == di->bs) {
+-                    return job;
+-                }
 -            }
 -        }
 -    }
@@ -64,7 +67,7 @@ index f90abaa50a..63c686463f 100644
  static void pvebackup_propagate_error(Error *err)
  {
      qemu_mutex_lock(&backup_state.stat.lock);
-@@ -272,18 +253,6 @@ static void coroutine_fn pvebackup_co_cleanup(void *unused)
+@@ -274,18 +253,6 @@ static void coroutine_fn pvebackup_co_cleanup(void *unused)
              if (local_err != NULL) {
                  pvebackup_propagate_error(local_err);
              }
@@ -83,7 +86,7 @@ index f90abaa50a..63c686463f 100644
          }
  
          proxmox_backup_disconnect(backup_state.pbs);
-@@ -322,8 +291,6 @@ static void pvebackup_complete_cb(void *opaque, int ret)
+@@ -324,8 +291,6 @@ static void pvebackup_complete_cb(void *opaque, int ret)
  
      qemu_mutex_lock(&backup_state.backup_mutex);
  
@@ -92,7 +95,7 @@ index f90abaa50a..63c686463f 100644
      if (ret < 0) {
          Error *local_err = NULL;
          error_setg(&local_err, "job failed with err %d - %s", ret, strerror(-ret));
-@@ -336,20 +303,17 @@ static void pvebackup_complete_cb(void *opaque, int ret)
+@@ -338,20 +303,17 @@ static void pvebackup_complete_cb(void *opaque, int ret)
  
      block_on_coroutine_fn(pvebackup_complete_stream, di);
  
@@ -119,7 +122,7 @@ index f90abaa50a..63c686463f 100644
  }
  
  static void pvebackup_cancel(void)
-@@ -371,36 +335,28 @@ static void pvebackup_cancel(void)
+@@ -373,32 +335,28 @@ static void pvebackup_cancel(void)
          proxmox_backup_abort(backup_state.pbs, "backup canceled");
      }
  
@@ -128,13 +131,6 @@ index f90abaa50a..63c686463f 100644
 -    for(;;) {
 -
 -        BlockJob *next_job = NULL;
--
--        qemu_mutex_lock(&backup_state.backup_mutex);
--
--        GList *l = backup_state.di_list;
--        while (l) {
--            PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
--            l = g_list_next(l);
 +    /* it's enough to cancel one job in the transaction, the rest will follow
 +     * automatically */
 +    GList *bdi = g_list_first(backup_state.di_list);
@@ -142,15 +138,23 @@ index f90abaa50a..63c686463f 100644
 +        ((PVEBackupDevInfo *)bdi->data)->job :
 +        NULL;
  
+-        qemu_mutex_lock(&backup_state.backup_mutex);
+-
+-        GList *l = backup_state.di_list;
+-        while (l) {
+-            PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
+-            l = g_list_next(l);
+-
 -            BlockJob *job = lookup_active_block_job(di);
 -            if (job != NULL) {
 -                next_job = job;
 -                break;
 -            }
--        }
 +    /* ref the job before releasing the mutex, just to be safe */
 +    if (cancel_job) {
-+        job_ref(&cancel_job->job);
++        WITH_JOB_LOCK_GUARD() {
++            job_ref_locked(&cancel_job->job);
+         }
 +    }
  
 -        qemu_mutex_unlock(&backup_state.backup_mutex);
@@ -159,27 +163,21 @@ index f90abaa50a..63c686463f 100644
 +    qemu_mutex_unlock(&backup_state.backup_mutex);
  
 -        if (next_job) {
--            AioContext *aio_context = next_job->job.aio_context;
--            aio_context_acquire(aio_context);
 -            job_cancel_sync(&next_job->job, true);
--            aio_context_release(aio_context);
 -        } else {
 -            break;
--        }
 +    if (cancel_job) {
-+        AioContext *aio_context = cancel_job->job.aio_context;
-+        aio_context_acquire(aio_context);
-+        job_cancel_sync(&cancel_job->job, true);
-+        job_unref(&cancel_job->job);
-+        aio_context_release(aio_context);
++        WITH_JOB_LOCK_GUARD() {
++            job_cancel_sync_locked(&cancel_job->job, true);
++            job_unref_locked(&cancel_job->job);
+         }
      }
  }
- 
-@@ -459,51 +415,19 @@ static int coroutine_fn pvebackup_co_add_config(
+@@ -458,49 +416,19 @@ static int coroutine_fn pvebackup_co_add_config(
      goto out;
  }
  
--bool job_should_pause(Job *job);
+-bool job_should_pause_locked(Job *job);
 -
 -static void pvebackup_run_next_job(void)
 -{
@@ -197,18 +195,16 @@ index f90abaa50a..63c686463f 100644
 -        if (job) {
 -            qemu_mutex_unlock(&backup_state.backup_mutex);
 -
--            AioContext *aio_context = job->job.aio_context;
--            aio_context_acquire(aio_context);
--
--            if (job_should_pause(&job->job)) {
--                bool error_or_canceled = pvebackup_error_or_canceled();
--                if (error_or_canceled) {
--                    job_cancel_sync(&job->job, true);
--                } else {
--                    job_resume(&job->job);
+-            WITH_JOB_LOCK_GUARD() {
+-                if (job_should_pause_locked(&job->job)) {
+-                    bool error_or_canceled = pvebackup_error_or_canceled();
+-                    if (error_or_canceled) {
+-                        job_cancel_sync_locked(&job->job, true);
+-                    } else {
+-                        job_resume_locked(&job->job);
+-                    }
 -                }
 -            }
--            aio_context_release(aio_context);
 -            return;
 -        }
 -    }
@@ -234,7 +230,7 @@ index f90abaa50a..63c686463f 100644
      BackupPerf perf = { .max_workers = 16 };
  
      /* create and start all jobs (paused state) */
-@@ -526,7 +450,7 @@ static bool create_backup_jobs(void) {
+@@ -523,7 +451,7 @@ static bool create_backup_jobs(void) {
          BlockJob *job = backup_job_create(
              NULL, di->bs, di->target, backup_state.speed, sync_mode, di->bitmap,
              bitmap_mode, false, NULL, &perf, BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT,
@@ -243,7 +239,7 @@ index f90abaa50a..63c686463f 100644
  
          aio_context_release(aio_context);
  
-@@ -538,7 +462,8 @@ static bool create_backup_jobs(void) {
+@@ -535,7 +463,8 @@ static bool create_backup_jobs(void) {
              pvebackup_propagate_error(create_job_err);
              break;
          }
@@ -253,18 +249,20 @@ index f90abaa50a..63c686463f 100644
  
          bdrv_unref(di->target);
          di->target = NULL;
-@@ -556,6 +481,10 @@ static bool create_backup_jobs(void) {
+@@ -553,6 +482,12 @@ static bool create_backup_jobs(void) {
                  bdrv_unref(di->target);
                  di->target = NULL;
              }
 +
 +            if (di->job) {
-+                job_unref(&di->job->job);
++                WITH_JOB_LOCK_GUARD() {
++                    job_unref_locked(&di->job->job);
++                }
 +            }
          }
      }
  
-@@ -946,10 +875,6 @@ err:
+@@ -943,10 +878,6 @@ err:
          PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
          l = g_list_next(l);
  
@@ -275,7 +273,7 @@ index f90abaa50a..63c686463f 100644
          if (di->target) {
              bdrv_unref(di->target);
          }
-@@ -1038,9 +963,15 @@ UuidInfo *qmp_backup(
+@@ -1035,9 +966,15 @@ UuidInfo *qmp_backup(
      block_on_coroutine_fn(pvebackup_co_prepare, &task);
  
      if (*errp == NULL) {

debian/patches/pve/0039-PVE-Backup-Don-t-block-on-finishing-and-cleanup-crea.patch

@@ -49,15 +49,15 @@ before.
 
 Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-[add new force parameter to job_cancel_sync calls]
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
+[FE: add new force parameter to job_cancel_sync calls]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
- pve-backup.c         | 217 ++++++++++++++++++++++++++++---------------
+ pve-backup.c         | 212 +++++++++++++++++++++++++++----------------
  qapi/block-core.json |   5 +-
- 2 files changed, 144 insertions(+), 78 deletions(-)
+ 2 files changed, 138 insertions(+), 79 deletions(-)
 
 diff --git a/pve-backup.c b/pve-backup.c
-index 63c686463f..6f05796fad 100644
+index eedac335ec..7bd9d06346 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -33,7 +33,9 @@ const char *PBS_BITMAP_NAME = "pbs-incremental-dirty-bitmap";
@@ -192,7 +192,7 @@ index 63c686463f..6f05796fad 100644
  
      // remove self from job list
      backup_state.di_list = g_list_remove(backup_state.di_list, di);
-@@ -310,21 +321,49 @@ static void pvebackup_complete_cb(void *opaque, int ret)
+@@ -310,21 +321,46 @@ static void pvebackup_complete_cb(void *opaque, int ret)
  
      /* call cleanup if we're the last job */
      if (!g_list_first(backup_state.di_list)) {
@@ -229,10 +229,7 @@ index 63c686463f..6f05796fad 100644
 +static void job_cancel_bh(void *opaque) {
 +    CoCtxData *data = (CoCtxData*)opaque;
 +    Job *job = (Job*)data->data;
-+    AioContext *job_ctx = job->aio_context;
-+    aio_context_acquire(job_ctx);
 +    job_cancel_sync(job, true);
-+    aio_context_release(job_ctx);
 +    aio_co_enter(data->ctx, data->co);
 +}
  
@@ -247,13 +244,15 @@ index 63c686463f..6f05796fad 100644
  
      if (backup_state.vmaw) {
          /* make sure vma writer does not block anymore */
-@@ -342,27 +381,22 @@ static void pvebackup_cancel(void)
+@@ -342,28 +378,22 @@ static void pvebackup_cancel(void)
          ((PVEBackupDevInfo *)bdi->data)->job :
          NULL;
  
 -    /* ref the job before releasing the mutex, just to be safe */
      if (cancel_job) {
--        job_ref(&cancel_job->job);
+-        WITH_JOB_LOCK_GUARD() {
+-            job_ref_locked(&cancel_job->job);
+-        }
 +        CoCtxData data = {
 +            .ctx = qemu_get_current_aio_context(),
 +            .co = qemu_coroutine_self(),
@@ -268,11 +267,10 @@ index 63c686463f..6f05796fad 100644
 -    qemu_mutex_unlock(&backup_state.backup_mutex);
 -
 -    if (cancel_job) {
--        AioContext *aio_context = cancel_job->job.aio_context;
--        aio_context_acquire(aio_context);
--        job_cancel_sync(&cancel_job->job, true);
--        job_unref(&cancel_job->job);
--        aio_context_release(aio_context);
+-        WITH_JOB_LOCK_GUARD() {
+-            job_cancel_sync_locked(&cancel_job->job, true);
+-            job_unref_locked(&cancel_job->job);
+-        }
 -    }
 +    qemu_co_mutex_unlock(&backup_state.backup_mutex);
  }
@@ -284,7 +282,7 @@ index 63c686463f..6f05796fad 100644
  }
  
  // assumes the caller holds backup_mutex
-@@ -415,10 +449,18 @@ static int coroutine_fn pvebackup_co_add_config(
+@@ -416,10 +446,18 @@ static int coroutine_fn pvebackup_co_add_config(
      goto out;
  }
  
@@ -304,7 +302,7 @@ index 63c686463f..6f05796fad 100644
      Error *local_err = NULL;
  
      /* create job transaction to synchronize bitmap commit and cancel all
-@@ -454,24 +496,19 @@ static bool create_backup_jobs(void) {
+@@ -455,24 +493,19 @@ static bool create_backup_jobs(void) {
  
          aio_context_release(aio_context);
  
@@ -334,15 +332,13 @@ index 63c686463f..6f05796fad 100644
          l = backup_state.di_list;
          while (l) {
              PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
-@@ -483,12 +520,17 @@ static bool create_backup_jobs(void) {
-             }
+@@ -485,13 +518,15 @@ static bool create_backup_jobs(void) {
  
              if (di->job) {
-+                AioContext *ctx = di->job->job.aio_context;
-+                aio_context_acquire(ctx);
-+                job_cancel_sync(&di->job->job, true);
-                 job_unref(&di->job->job);
-+                aio_context_release(ctx);
+                 WITH_JOB_LOCK_GUARD() {
++                    job_cancel_sync_locked(&di->job->job, true);
+                     job_unref_locked(&di->job->job);
+                 }
              }
          }
      }
@@ -353,7 +349,7 @@ index 63c686463f..6f05796fad 100644
  }
  
  typedef struct QmpBackupTask {
-@@ -525,11 +567,12 @@ typedef struct QmpBackupTask {
+@@ -528,11 +563,12 @@ typedef struct QmpBackupTask {
      UuidInfo *result;
  } QmpBackupTask;
  
@@ -367,7 +363,7 @@ index 63c686463f..6f05796fad 100644
      QmpBackupTask *task = opaque;
  
      task->result = NULL; // just to be sure
-@@ -550,8 +593,9 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -553,8 +589,9 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      const char *firewall_name = "qemu-server.fw";
  
      if (backup_state.di_list) {
@@ -378,7 +374,7 @@ index 63c686463f..6f05796fad 100644
          return;
      }
  
-@@ -618,6 +662,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -621,6 +658,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
          }
          di->size = size;
          total += size;
@@ -387,7 +383,7 @@ index 63c686463f..6f05796fad 100644
      }
  
      uuid_generate(uuid);
-@@ -849,6 +895,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -852,6 +891,8 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      backup_state.stat.dirty = total - backup_state.stat.reused;
      backup_state.stat.transferred = 0;
      backup_state.stat.zero_bytes = 0;
@@ -396,7 +392,7 @@ index 63c686463f..6f05796fad 100644
  
      qemu_mutex_unlock(&backup_state.stat.lock);
  
-@@ -863,6 +911,33 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -866,6 +907,33 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      uuid_info->UUID = uuid_str;
  
      task->result = uuid_info;
@@ -430,7 +426,7 @@ index 63c686463f..6f05796fad 100644
      return;
  
  err_mutex:
-@@ -885,6 +960,7 @@ err:
+@@ -888,6 +956,7 @@ err:
          g_free(di);
      }
      g_list_free(di_list);
@@ -438,7 +434,7 @@ index 63c686463f..6f05796fad 100644
  
      if (devs) {
          g_strfreev(devs);
-@@ -905,6 +981,8 @@ err:
+@@ -908,6 +977,8 @@ err:
      }
  
      task->result = NULL;
@@ -447,7 +443,7 @@ index 63c686463f..6f05796fad 100644
      return;
  }
  
-@@ -958,24 +1036,8 @@ UuidInfo *qmp_backup(
+@@ -961,24 +1032,8 @@ UuidInfo *qmp_backup(
          .errp = errp,
      };
  
@@ -472,7 +468,7 @@ index 63c686463f..6f05796fad 100644
      return task.result;
  }
  
-@@ -1027,6 +1089,7 @@ BackupStatus *qmp_query_backup(Error **errp)
+@@ -1030,6 +1085,7 @@ BackupStatus *qmp_query_backup(Error **errp)
      info->transferred = backup_state.stat.transferred;
      info->has_reused = true;
      info->reused = backup_state.stat.reused;
@@ -481,10 +477,10 @@ index 63c686463f..6f05796fad 100644
      qemu_mutex_unlock(&backup_state.stat.lock);
  
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 8833060385..6a67adf923 100644
+index 7fde927621..bf559c6d52 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -774,12 +774,15 @@
+@@ -770,12 +770,15 @@
  #
  # @uuid: uuid for this backup job
  #

debian/patches/pve/0040-PVE-Migrate-dirty-bitmap-state-via-savevm.patch

@@ -36,11 +36,11 @@ index 465906710d..4f0aeceb6f 100644
 +
  #endif
 diff --git a/migration/meson.build b/migration/meson.build
-index ea9aedeefc..c27dc9bd97 100644
+index 0842d00cd2..d012f4d8d3 100644
 --- a/migration/meson.build
 +++ b/migration/meson.build
-@@ -7,8 +7,10 @@ migration_files = files(
-   'qemu-file-channel.c',
+@@ -6,8 +6,10 @@ migration_files = files(
+   'vmstate.c',
    'qemu-file.c',
    'yank_functions.c',
 +  'pbs-state.c',
@@ -51,10 +51,10 @@ index ea9aedeefc..c27dc9bd97 100644
  softmmu_ss.add(files(
    'block-dirty-bitmap.c',
 diff --git a/migration/migration.c b/migration/migration.c
-index abaf6f9e3d..d925fd7488 100644
+index 9b496cce1d..421b4ee225 100644
 --- a/migration/migration.c
 +++ b/migration/migration.c
-@@ -213,6 +213,7 @@ void migration_object_init(void)
+@@ -229,6 +229,7 @@ void migration_object_init(void)
      blk_mig_init();
      ram_mig_init();
      dirty_bitmap_mig_init();
@@ -175,10 +175,10 @@ index 0000000000..29f2b3860d
 +                         NULL);
 +}
 diff --git a/pve-backup.c b/pve-backup.c
-index 6f05796fad..5fa3cc1352 100644
+index 7bd9d06346..5662f48b72 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
-@@ -1132,6 +1132,7 @@ ProxmoxSupportStatus *qmp_query_proxmox_support(Error **errp)
+@@ -1128,6 +1128,7 @@ ProxmoxSupportStatus *qmp_query_proxmox_support(Error **errp)
      ret->pbs_library_version = g_strdup(proxmox_backup_qemu_version());
      ret->pbs_dirty_bitmap = true;
      ret->pbs_dirty_bitmap_savevm = true;
@@ -187,10 +187,10 @@ index 6f05796fad..5fa3cc1352 100644
      return ret;
  }
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 6a67adf923..c99ddf8628 100644
+index bf559c6d52..24f30260c8 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -883,6 +883,11 @@
+@@ -879,6 +879,11 @@
  # @pbs-dirty-bitmap-savevm: True if 'dirty-bitmaps' migration capability can
  #                           safely be set for savevm-async.
  #
@@ -202,7 +202,7 @@ index 6a67adf923..c99ddf8628 100644
  # @pbs-library-version: Running version of libproxmox-backup-qemu0 library.
  #
  ##
-@@ -890,6 +895,7 @@
+@@ -886,6 +891,7 @@
    'data': { 'pbs-dirty-bitmap': 'bool',
              'query-bitmap-info': 'bool',
              'pbs-dirty-bitmap-savevm': 'bool',

debian/patches/pve/0042-PVE-fall-back-to-open-iscsi-initiatorname.patch

@@ -21,10 +21,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 30 insertions(+)
 
 diff --git a/block/iscsi.c b/block/iscsi.c
-index 57aa07a40d..a8902b84d5 100644
+index 1bba42a71b..89cd032c3a 100644
 --- a/block/iscsi.c
 +++ b/block/iscsi.c
-@@ -1386,12 +1386,42 @@ static char *get_initiator_name(QemuOpts *opts)
+@@ -1388,12 +1388,42 @@ static char *get_initiator_name(QemuOpts *opts)
      const char *name;
      char *iscsi_name;
      UuidInfo *uuid_info;

debian/patches/pve/0043-PVE-Use-coroutine-QMP-for-backup-cancel_backup.patch

@@ -32,10 +32,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  5 files changed, 77 insertions(+), 196 deletions(-)
 
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index 4481b60a5c..c9849a5b29 100644
+index f59b02592e..2e53cb65df 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1016,7 +1016,7 @@ void hmp_info_snapshots(Monitor *mon, const QDict *qdict)
+@@ -1018,7 +1018,7 @@ void hmp_info_snapshots(Monitor *mon, const QDict *qdict)
      g_free(global_snapshots);
  }
  
@@ -44,7 +44,7 @@ index 4481b60a5c..c9849a5b29 100644
  {
      Error *error = NULL;
  
-@@ -1025,7 +1025,7 @@ void hmp_backup_cancel(Monitor *mon, const QDict *qdict)
+@@ -1027,7 +1027,7 @@ void hmp_backup_cancel(Monitor *mon, const QDict *qdict)
      hmp_handle_error(mon, error);
  }
  
@@ -54,10 +54,10 @@ index 4481b60a5c..c9849a5b29 100644
      Error *error = NULL;
  
 diff --git a/hmp-commands.hx b/hmp-commands.hx
-index d4bb00216e..4e21911fa6 100644
+index fcf9461295..5fdb198ca4 100644
 --- a/hmp-commands.hx
 +++ b/hmp-commands.hx
-@@ -109,6 +109,7 @@ ERST
+@@ -111,6 +111,7 @@ ERST
  		    "\n\t\t\t Use -d to dump data into a directory instead"
  		    "\n\t\t\t of using VMA format.",
          .cmd = hmp_backup,
@@ -65,7 +65,7 @@ index d4bb00216e..4e21911fa6 100644
      },
  
  SRST
-@@ -122,6 +123,7 @@ ERST
+@@ -124,6 +125,7 @@ ERST
          .params     = "",
          .help       = "cancel the current VM backup",
          .cmd        = hmp_backup_cancel,
@@ -116,10 +116,10 @@ index 4ce7bc0b5e..0923037dec 100644
  static void proxmox_backup_schedule_wake(void *data) {
      CoCtxData *waker = (CoCtxData *)data;
 diff --git a/pve-backup.c b/pve-backup.c
-index 5fa3cc1352..323014744c 100644
+index 5662f48b72..e4fe1b601d 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
-@@ -357,7 +357,7 @@ static void job_cancel_bh(void *opaque) {
+@@ -354,7 +354,7 @@ static void job_cancel_bh(void *opaque) {
      aio_co_enter(data->ctx, data->co);
  }
  
@@ -128,7 +128,7 @@ index 5fa3cc1352..323014744c 100644
  {
      Error *cancel_err = NULL;
      error_setg(&cancel_err, "backup canceled");
-@@ -394,11 +394,6 @@ static void coroutine_fn pvebackup_co_cancel(void *opaque)
+@@ -391,11 +391,6 @@ static void coroutine_fn pvebackup_co_cancel(void *opaque)
      qemu_co_mutex_unlock(&backup_state.backup_mutex);
  }
  
@@ -140,7 +140,7 @@ index 5fa3cc1352..323014744c 100644
  // assumes the caller holds backup_mutex
  static int coroutine_fn pvebackup_co_add_config(
      const char *file,
-@@ -533,50 +528,27 @@ static void create_backup_jobs_bh(void *opaque) {
+@@ -529,50 +524,27 @@ static void create_backup_jobs_bh(void *opaque) {
      aio_co_enter(data->ctx, data->co);
  }
  
@@ -207,7 +207,7 @@ index 5fa3cc1352..323014744c 100644
      BlockBackend *blk;
      BlockDriverState *bs = NULL;
      const char *backup_dir = NULL;
-@@ -593,17 +565,17 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -589,17 +561,17 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      const char *firewall_name = "qemu-server.fw";
  
      if (backup_state.di_list) {
@@ -230,7 +230,7 @@ index 5fa3cc1352..323014744c 100644
  
          gchar **d = devs;
          while (d && *d) {
-@@ -611,14 +583,14 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -607,14 +579,14 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              if (blk) {
                  bs = blk_bs(blk);
                  if (!bdrv_is_inserted(bs)) {
@@ -247,7 +247,7 @@ index 5fa3cc1352..323014744c 100644
                            "Device '%s' not found", *d);
                  goto err;
              }
-@@ -641,7 +613,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -637,7 +609,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      }
  
      if (!di_list) {
@@ -256,7 +256,7 @@ index 5fa3cc1352..323014744c 100644
          goto err;
      }
  
-@@ -651,13 +623,13 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -647,13 +619,13 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      while (l) {
          PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
          l = g_list_next(l);
@@ -267,12 +267,12 @@ index 5fa3cc1352..323014744c 100644
  
          ssize_t size = bdrv_getlength(di->bs);
          if (size < 0) {
--            error_setg_errno(task->errp, -di->size, "bdrv_getlength failed");
-+            error_setg_errno(errp, -di->size, "bdrv_getlength failed");
+-            error_setg_errno(task->errp, -size, "bdrv_getlength failed");
++            error_setg_errno(errp, -size, "bdrv_getlength failed");
              goto err;
          }
          di->size = size;
-@@ -684,47 +656,44 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -680,47 +652,44 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      }
  
      if (format == BACKUP_FORMAT_PBS) {
@@ -337,7 +337,7 @@ index 5fa3cc1352..323014744c 100644
          if (connect_result < 0)
              goto err_mutex;
  
-@@ -743,9 +712,9 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -739,9 +708,9 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              BdrvDirtyBitmap *bitmap = bdrv_find_dirty_bitmap(di->bs, PBS_BITMAP_NAME);
              bool expect_only_dirty = false;
  
@@ -349,7 +349,7 @@ index 5fa3cc1352..323014744c 100644
                      if (!bitmap) {
                          goto err_mutex;
                      }
-@@ -775,12 +744,12 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -771,12 +740,12 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
                  }
              }
  
@@ -364,7 +364,7 @@ index 5fa3cc1352..323014744c 100644
                  goto err_mutex;
              }
  
-@@ -794,10 +763,10 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -790,10 +759,10 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              backup_state.stat.bitmap_list = g_list_append(backup_state.stat.bitmap_list, info);
          }
      } else if (format == BACKUP_FORMAT_VMA) {
@@ -377,7 +377,7 @@ index 5fa3cc1352..323014744c 100644
              }
              goto err_mutex;
          }
-@@ -808,25 +777,25 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -804,25 +773,25 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
              l = g_list_next(l);
  
@@ -409,7 +409,7 @@ index 5fa3cc1352..323014744c 100644
  
          l = di_list;
          while (l) {
-@@ -840,34 +809,34 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -836,34 +805,34 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
              bdrv_img_create(di->targetfile, "raw", NULL, NULL, NULL,
                              di->size, flags, false, &local_err);
              if (local_err) {
@@ -453,7 +453,7 @@ index 5fa3cc1352..323014744c 100644
              goto err_mutex;
          }
      }
-@@ -885,7 +854,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -881,7 +850,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      if (backup_state.stat.backup_file) {
          g_free(backup_state.stat.backup_file);
      }
@@ -462,7 +462,7 @@ index 5fa3cc1352..323014744c 100644
  
      uuid_copy(backup_state.stat.uuid, uuid);
      uuid_unparse_lower(uuid, backup_state.stat.uuid_str);
-@@ -900,7 +869,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -896,7 +865,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
  
      qemu_mutex_unlock(&backup_state.stat.lock);
  
@@ -471,7 +471,7 @@ index 5fa3cc1352..323014744c 100644
  
      backup_state.vmaw = vmaw;
      backup_state.pbs = pbs;
-@@ -910,8 +879,6 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -906,8 +875,6 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      uuid_info = g_malloc0(sizeof(*uuid_info));
      uuid_info->UUID = uuid_str;
  
@@ -480,7 +480,7 @@ index 5fa3cc1352..323014744c 100644
      /* Run create_backup_jobs_bh outside of coroutine (in BH) but keep
      * backup_mutex locked. This is fine, a CoMutex can be held across yield
      * points, and we'll release it as soon as the BH reschedules us.
-@@ -925,7 +892,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -921,7 +888,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      qemu_coroutine_yield();
  
      if (local_err) {
@@ -489,7 +489,7 @@ index 5fa3cc1352..323014744c 100644
          goto err;
      }
  
-@@ -938,7 +905,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
+@@ -934,7 +901,7 @@ static void coroutine_fn pvebackup_co_prepare(void *opaque)
      /* start the first job in the transaction */
      job_txn_start_seq(backup_state.txn);
  
@@ -498,7 +498,7 @@ index 5fa3cc1352..323014744c 100644
  
  err_mutex:
      qemu_mutex_unlock(&backup_state.stat.lock);
-@@ -969,7 +936,7 @@ err:
+@@ -965,7 +932,7 @@ err:
      if (vmaw) {
          Error *err = NULL;
          vma_writer_close(vmaw, &err);
@@ -507,7 +507,7 @@ index 5fa3cc1352..323014744c 100644
      }
  
      if (pbs) {
-@@ -980,65 +947,8 @@ err:
+@@ -976,65 +943,8 @@ err:
          rmdir(backup_dir);
      }
  
@@ -575,10 +575,10 @@ index 5fa3cc1352..323014744c 100644
  
  BackupStatus *qmp_query_backup(Error **errp)
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index c99ddf8628..829dc7b8e9 100644
+index 24f30260c8..4e8c35a3a2 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -846,7 +846,7 @@
+@@ -842,7 +842,7 @@
                                      '*config-file': 'str',
                                      '*firewall-file': 'str',
                                      '*devlist': 'str', '*speed': 'int' },
@@ -587,7 +587,7 @@ index c99ddf8628..829dc7b8e9 100644
  
  ##
  # @query-backup:
-@@ -868,7 +868,7 @@
+@@ -864,7 +864,7 @@
  # Notes: This command succeeds even if there is no backup process running.
  #
  ##

debian/patches/pve/0044-PBS-add-master-key-support.patch

@@ -19,10 +19,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  3 files changed, 11 insertions(+)
 
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index c9849a5b29..52ddbf95ad 100644
+index 2e53cb65df..f98f4cf7e6 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1039,6 +1039,7 @@ void coroutine_fn hmp_backup(Monitor *mon, const QDict *qdict)
+@@ -1041,6 +1041,7 @@ void coroutine_fn hmp_backup(Monitor *mon, const QDict *qdict)
          false, NULL, // PBS password
          false, NULL, // PBS keyfile
          false, NULL, // PBS key_password
@@ -31,10 +31,10 @@ index c9849a5b29..52ddbf95ad 100644
          false, NULL, // PBS backup-id
          false, 0, // PBS backup-time
 diff --git a/pve-backup.c b/pve-backup.c
-index 323014744c..9f6c04a512 100644
+index e4fe1b601d..41e8effa01 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
-@@ -533,6 +533,7 @@ UuidInfo coroutine_fn *qmp_backup(
+@@ -529,6 +529,7 @@ UuidInfo coroutine_fn *qmp_backup(
      bool has_password, const char *password,
      bool has_keyfile, const char *keyfile,
      bool has_key_password, const char *key_password,
@@ -42,7 +42,7 @@ index 323014744c..9f6c04a512 100644
      bool has_fingerprint, const char *fingerprint,
      bool has_backup_id, const char *backup_id,
      bool has_backup_time, int64_t backup_time,
-@@ -681,6 +682,7 @@ UuidInfo coroutine_fn *qmp_backup(
+@@ -677,6 +678,7 @@ UuidInfo coroutine_fn *qmp_backup(
              has_password ? password : NULL,
              has_keyfile ? keyfile : NULL,
              has_key_password ? key_password : NULL,
@@ -50,7 +50,7 @@ index 323014744c..9f6c04a512 100644
              has_compress ? compress : true,
              has_encrypt ? encrypt : has_keyfile,
              has_fingerprint ? fingerprint : NULL,
-@@ -1044,5 +1046,6 @@ ProxmoxSupportStatus *qmp_query_proxmox_support(Error **errp)
+@@ -1040,5 +1042,6 @@ ProxmoxSupportStatus *qmp_query_proxmox_support(Error **errp)
      ret->pbs_dirty_bitmap_savevm = true;
      ret->pbs_dirty_bitmap_migration = true;
      ret->query_bitmap_info = true;
@@ -58,10 +58,10 @@ index 323014744c..9f6c04a512 100644
      return ret;
  }
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 829dc7b8e9..d089328a1f 100644
+index 4e8c35a3a2..d8c7331090 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -817,6 +817,8 @@
+@@ -813,6 +813,8 @@
  #
  # @key-password: password for keyfile (optional for format 'pbs')
  #
@@ -70,7 +70,7 @@ index 829dc7b8e9..d089328a1f 100644
  # @fingerprint: server cert fingerprint (optional for format 'pbs')
  #
  # @backup-id: backup ID (required for format 'pbs')
-@@ -836,6 +838,7 @@
+@@ -832,6 +834,7 @@
                                      '*password': 'str',
                                      '*keyfile': 'str',
                                      '*key-password': 'str',
@@ -78,7 +78,7 @@ index 829dc7b8e9..d089328a1f 100644
                                      '*fingerprint': 'str',
                                      '*backup-id': 'str',
                                      '*backup-time': 'int',
-@@ -888,6 +891,9 @@
+@@ -884,6 +887,9 @@
  #                              migration cap if this is false/unset may lead
  #                              to crashes on migration!
  #
@@ -88,7 +88,7 @@ index 829dc7b8e9..d089328a1f 100644
  # @pbs-library-version: Running version of libproxmox-backup-qemu0 library.
  #
  ##
-@@ -896,6 +902,7 @@
+@@ -892,6 +898,7 @@
              'query-bitmap-info': 'bool',
              'pbs-dirty-bitmap-savevm': 'bool',
              'pbs-dirty-bitmap-migration': 'bool',

debian/patches/pve/0045-PVE-block-pbs-fast-path-reads-without-allocation-if-.patch

@@ -17,7 +17,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 14 insertions(+), 3 deletions(-)
 
 diff --git a/block/pbs.c b/block/pbs.c
-index 0b05ea9080..c5eb4d5bad 100644
+index 9d1f1f39d4..ce9a870885 100644
 --- a/block/pbs.c
 +++ b/block/pbs.c
 @@ -200,7 +200,16 @@ static coroutine_fn int pbs_co_preadv(BlockDriverState *bs,
@@ -49,5 +49,5 @@ index 0b05ea9080..c5eb4d5bad 100644
 +        g_free(buf);
 +    }
  
-     return ret;
+     return 0;
  }

debian/patches/pve/0046-PVE-block-stream-increase-chunk-size.patch

@@ -11,7 +11,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/block/stream.c b/block/stream.c
-index e45113aed6..c3c0c5febe 100644
+index 694709bd25..e09bd5c4ef 100644
 --- a/block/stream.c
 +++ b/block/stream.c
 @@ -28,7 +28,7 @@ enum {

debian/patches/pve/0047-block-io-accept-NULL-qiov-in-bdrv_pad_request.patch

@@ -17,10 +17,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 4 insertions(+)
 
 diff --git a/block/io.c b/block/io.c
-index 4e4cb556c5..04061f1e68 100644
+index 4589a58917..20167d61b7 100644
 --- a/block/io.c
 +++ b/block/io.c
-@@ -1765,6 +1765,10 @@ static int bdrv_pad_request(BlockDriverState *bs,
+@@ -1730,6 +1730,10 @@ static int bdrv_pad_request(BlockDriverState *bs,
  {
      int ret;
  

debian/patches/pve/0048-PVE-whitelist-invalid-QAPI-names-for-backwards-compa.patch

@@ -1,33 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stefan Reiter <s.reiter@proxmox.com>
-Date: Wed, 26 May 2021 15:26:30 +0200
-Subject: [PATCH] PVE: whitelist 'invalid' QAPI names for backwards compat
-
-Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- qapi/pragma.json | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/qapi/pragma.json b/qapi/pragma.json
-index 7c91ea3685..c3888d654c 100644
---- a/qapi/pragma.json
-+++ b/qapi/pragma.json
-@@ -12,6 +12,7 @@
-         'device_add',
-         'device_del',
-         'expire_password',
-+        'get_link_status',
-         'migrate_cancel',
-         'netdev_add',
-         'netdev_del',
-@@ -60,6 +61,8 @@
-         'SysEmuTarget',             # query-cpu-fast, query-target
-         'UuidInfo',                 # query-uuid
-         'VncClientInfo',            # query-vnc, query-vnc-servers, ...
--        'X86CPURegister32'          # qom-get of x86 CPU properties
-+        'X86CPURegister32',         # qom-get of x86 CPU properties
-                                     # feature-words, filtered-features
-+        'BlockdevOptionsPbs',       # for PBS backwards compat
-+        'BalloonInfo'
-     ] } }

debian/patches/pve/0048-block-add-alloc-track-driver.patch

@@ -24,8 +24,9 @@ once the backing image is removed. It will be replaced by 'file'.
 
 Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-[adapt to changed function signatures]
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
+[FE: adapt to changed function signatures
+     make error return value consistent with QEMU]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
  block/alloc-track.c | 350 ++++++++++++++++++++++++++++++++++++++++++++
  block/meson.build   |   1 +
@@ -34,7 +35,7 @@ Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
 
 diff --git a/block/alloc-track.c b/block/alloc-track.c
 new file mode 100644
-index 0000000000..6b50fbe537
+index 0000000000..43d40d11af
 --- /dev/null
 +++ b/block/alloc-track.c
 @@ -0,0 +1,350 @@
@@ -181,7 +182,7 @@ index 0000000000..6b50fbe537
 +
 +    if (offset < 0 || bytes < 0) {
 +        fprintf(stderr, "unexpected negative 'offset' or 'bytes' value!\n");
-+        return -EINVAL;
++        return -EIO;
 +    }
 +
 +    /* a read request can span multiple granularity-sized chunks, and can thus
@@ -389,7 +390,7 @@ index 0000000000..6b50fbe537
 +
 +block_init(bdrv_alloc_track_init);
 diff --git a/block/meson.build b/block/meson.build
-index 8c758c0218..45b72e10f1 100644
+index 7ef2fa72d5..15352f579f 100644
 --- a/block/meson.build
 +++ b/block/meson.build
 @@ -2,6 +2,7 @@ block_ss.add(genh)

debian/patches/pve/0049-PVE-savevm-async-register-yank-before-migration_inco.patch

@@ -11,10 +11,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 5 insertions(+)
 
 diff --git a/migration/savevm-async.c b/migration/savevm-async.c
-index 970ee3b3fc..b3ccc069f1 100644
+index a38e7351c1..0b1b60c6ae 100644
 --- a/migration/savevm-async.c
 +++ b/migration/savevm-async.c
-@@ -19,6 +19,7 @@
+@@ -20,6 +20,7 @@
  #include "qemu/timer.h"
  #include "qemu/main-loop.h"
  #include "qemu/rcu.h"
@@ -22,7 +22,7 @@ index 970ee3b3fc..b3ccc069f1 100644
  
  /* #define DEBUG_SAVEVM_STATE */
  
-@@ -580,6 +581,10 @@ int load_snapshot_from_blockdev(const char *filename, Error **errp)
+@@ -521,6 +522,10 @@ int load_snapshot_from_blockdev(const char *filename, Error **errp)
      dirty_bitmap_mig_before_vm_start();
  
      qemu_fclose(f);

debian/patches/pve/0050-qemu-img-dd-add-l-option-for-loading-a-snapshot.patch

@@ -12,7 +12,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  3 files changed, 36 insertions(+), 7 deletions(-)
 
 diff --git a/docs/tools/qemu-img.rst b/docs/tools/qemu-img.rst
-index a49badb158..1039aec01c 100644
+index 5e713e231d..9390d5e5cf 100644
 --- a/docs/tools/qemu-img.rst
 +++ b/docs/tools/qemu-img.rst
 @@ -492,10 +492,10 @@ Command description:
@@ -30,7 +30,7 @@ index a49badb158..1039aec01c 100644
    The data is by default read and written using blocks of 512 bytes but can be
    modified by specifying *BLOCK_SIZE*. If count=\ *BLOCKS* is specified
 diff --git a/qemu-img-cmds.hx b/qemu-img-cmds.hx
-index f3b2b1b4de..e77ed9347f 100644
+index b5b0bb4467..36f97e1f19 100644
 --- a/qemu-img-cmds.hx
 +++ b/qemu-img-cmds.hx
 @@ -58,9 +58,9 @@ SRST
@@ -46,10 +46,10 @@ index f3b2b1b4de..e77ed9347f 100644
  
  DEF("info", img_info,
 diff --git a/qemu-img.c b/qemu-img.c
-index 015d6d2ce4..7031195e32 100644
+index 4f5ef5b887..4894016ad2 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4922,6 +4922,7 @@ static int img_dd(int argc, char **argv)
+@@ -4957,6 +4957,7 @@ static int img_dd(int argc, char **argv)
      BlockDriver *drv = NULL, *proto_drv = NULL;
      BlockBackend *blk1 = NULL, *blk2 = NULL;
      QemuOpts *opts = NULL;
@@ -57,15 +57,15 @@ index 015d6d2ce4..7031195e32 100644
      QemuOptsList *create_opts = NULL;
      Error *local_err = NULL;
      bool image_opts = false;
-@@ -4931,6 +4932,7 @@ static int img_dd(int argc, char **argv)
+@@ -4966,6 +4967,7 @@ static int img_dd(int argc, char **argv)
      int64_t size = 0, readsize = 0;
-     int64_t block_count = 0, out_pos, in_pos;
+     int64_t out_pos, in_pos;
      bool force_share = false, skip_create = false;
 +    const char *snapshot_name = NULL;
      struct DdInfo dd = {
          .flags = 0,
          .count = 0,
-@@ -4968,7 +4970,7 @@ static int img_dd(int argc, char **argv)
+@@ -5003,7 +5005,7 @@ static int img_dd(int argc, char **argv)
          { 0, 0, 0, 0 }
      };
  
@@ -74,7 +74,7 @@ index 015d6d2ce4..7031195e32 100644
          if (c == EOF) {
              break;
          }
-@@ -4991,6 +4993,19 @@ static int img_dd(int argc, char **argv)
+@@ -5026,6 +5028,19 @@ static int img_dd(int argc, char **argv)
          case 'n':
              skip_create = true;
              break;
@@ -94,7 +94,7 @@ index 015d6d2ce4..7031195e32 100644
          case 'U':
              force_share = true;
              break;
-@@ -5050,11 +5065,24 @@ static int img_dd(int argc, char **argv)
+@@ -5085,11 +5100,24 @@ static int img_dd(int argc, char **argv)
      if (dd.flags & C_IF) {
          blk1 = img_open(image_opts, in.filename, fmt, 0, false, false,
                          force_share);
@@ -120,7 +120,7 @@ index 015d6d2ce4..7031195e32 100644
      }
  
      if (dd.flags & C_OSIZE) {
-@@ -5203,6 +5231,7 @@ static int img_dd(int argc, char **argv)
+@@ -5244,6 +5272,7 @@ static int img_dd(int argc, char **argv)
  out:
      g_free(arg);
      qemu_opts_del(opts);

debian/patches/pve/0051-vma-allow-partial-restore.patch

@@ -24,10 +24,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  3 files changed, 126 insertions(+), 97 deletions(-)
 
 diff --git a/vma-reader.c b/vma-reader.c
-index 4f4ee2b47b..844d95a5ba 100644
+index e65f1e8415..81a891c6b1 100644
 --- a/vma-reader.c
 +++ b/vma-reader.c
-@@ -29,6 +29,7 @@ typedef struct VmaRestoreState {
+@@ -28,6 +28,7 @@ typedef struct VmaRestoreState {
      bool write_zeroes;
      unsigned long *bitmap;
      int bitmap_size;
@@ -35,7 +35,7 @@ index 4f4ee2b47b..844d95a5ba 100644
  }  VmaRestoreState;
  
  struct VmaReader {
-@@ -426,13 +427,14 @@ VmaDeviceInfo *vma_reader_get_device_info(VmaReader *vmar, guint8 dev_id)
+@@ -425,13 +426,14 @@ VmaDeviceInfo *vma_reader_get_device_info(VmaReader *vmar, guint8 dev_id)
  }
  
  static void allocate_rstate(VmaReader *vmar,  guint8 dev_id,
@@ -51,7 +51,7 @@ index 4f4ee2b47b..844d95a5ba 100644
  
      int64_t size = vmar->devinfo[dev_id].size;
  
-@@ -447,28 +449,30 @@ static void allocate_rstate(VmaReader *vmar,  guint8 dev_id,
+@@ -446,28 +448,30 @@ static void allocate_rstate(VmaReader *vmar,  guint8 dev_id,
  }
  
  int vma_reader_register_bs(VmaReader *vmar, guint8 dev_id, BlockBackend *target,
@@ -99,7 +99,7 @@ index 4f4ee2b47b..844d95a5ba 100644
  
      return 0;
  }
-@@ -561,19 +565,23 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
+@@ -560,19 +564,23 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
          VmaRestoreState *rstate = &vmar->rstate[dev_id];
          BlockBackend *target = NULL;
  
@@ -129,7 +129,7 @@ index 4f4ee2b47b..844d95a5ba 100644
  
              max_sector = vmar->devinfo[dev_id].size/BDRV_SECTOR_SIZE;
          } else {
-@@ -619,7 +627,7 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
+@@ -618,7 +626,7 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
                  return -1;
              }
  
@@ -138,7 +138,7 @@ index 4f4ee2b47b..844d95a5ba 100644
                  int nb_sectors = end_sector - sector_num;
                  if (restore_write_data(vmar, dev_id, target, vmstate_fd,
                                         buf + start, sector_num, nb_sectors,
-@@ -655,7 +663,7 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
+@@ -654,7 +662,7 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
                          return -1;
                      }
  
@@ -147,7 +147,7 @@ index 4f4ee2b47b..844d95a5ba 100644
                          int nb_sectors = end_sector - sector_num;
                          if (restore_write_data(vmar, dev_id, target, vmstate_fd,
                                                 buf + start, sector_num,
-@@ -680,7 +688,7 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
+@@ -679,7 +687,7 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
                              vmar->partial_zero_cluster_data += zero_size;
                          }
  
@@ -156,7 +156,7 @@ index 4f4ee2b47b..844d95a5ba 100644
                              if (restore_write_data(vmar, dev_id, target, vmstate_fd,
                                                     zero_vma_block, sector_num,
                                                     nb_sectors, errp) < 0) {
-@@ -851,7 +859,7 @@ int vma_reader_verify(VmaReader *vmar, bool verbose, Error **errp)
+@@ -850,7 +858,7 @@ int vma_reader_verify(VmaReader *vmar, bool verbose, Error **errp)
  
      for (dev_id = 1; dev_id < 255; dev_id++) {
          if (vma_reader_get_device_info(vmar, dev_id)) {
@@ -166,7 +166,7 @@ index 4f4ee2b47b..844d95a5ba 100644
      }
  
 diff --git a/vma.c b/vma.c
-index 89440733b1..21e765a469 100644
+index e8dffb43e0..e6e9ffc7fe 100644
 --- a/vma.c
 +++ b/vma.c
 @@ -138,6 +138,7 @@ typedef struct RestoreMap {

debian/patches/pve/0052-pbs-namespace-support.patch

@@ -13,10 +13,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  5 files changed, 47 insertions(+), 9 deletions(-)
 
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index 52ddbf95ad..69c868887a 100644
+index f98f4cf7e6..55ef4f5965 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1041,6 +1041,7 @@ void coroutine_fn hmp_backup(Monitor *mon, const QDict *qdict)
+@@ -1043,6 +1043,7 @@ void coroutine_fn hmp_backup(Monitor *mon, const QDict *qdict)
          false, NULL, // PBS key_password
          false, NULL, // PBS master_keyfile
          false, NULL, // PBS fingerprint
@@ -25,7 +25,7 @@ index 52ddbf95ad..69c868887a 100644
          false, 0, // PBS backup-time
          false, false, // PBS use-dirty-bitmap
 diff --git a/block/pbs.c b/block/pbs.c
-index c5eb4d5bad..7471e2ef9d 100644
+index ce9a870885..9192f3e41b 100644
 --- a/block/pbs.c
 +++ b/block/pbs.c
 @@ -14,6 +14,7 @@
@@ -112,10 +112,10 @@ index c5eb4d5bad..7471e2ef9d 100644
  
  static const char *const pbs_strong_runtime_opts[] = {
 diff --git a/pbs-restore.c b/pbs-restore.c
-index 4d3f925a1b..62042bdd93 100644
+index 2f834cf42e..f03d9bab8d 100644
 --- a/pbs-restore.c
 +++ b/pbs-restore.c
-@@ -30,7 +30,7 @@
+@@ -29,7 +29,7 @@
  static void help(void)
  {
      const char *help_msg =
@@ -124,7 +124,7 @@ index 4d3f925a1b..62042bdd93 100644
          ;
  
      printf("%s", help_msg);
-@@ -78,6 +78,7 @@ int main(int argc, char **argv)
+@@ -77,6 +77,7 @@ int main(int argc, char **argv)
      Error *main_loop_err = NULL;
      const char *format = "raw";
      const char *repository = NULL;
@@ -132,7 +132,7 @@ index 4d3f925a1b..62042bdd93 100644
      const char *keyfile = NULL;
      int verbose = false;
      bool skip_zero = false;
-@@ -91,6 +92,7 @@ int main(int argc, char **argv)
+@@ -90,6 +91,7 @@ int main(int argc, char **argv)
              {"verbose", no_argument, 0, 'v'},
              {"format", required_argument, 0, 'f'},
              {"repository", required_argument, 0, 'r'},
@@ -140,7 +140,7 @@ index 4d3f925a1b..62042bdd93 100644
              {"keyfile", required_argument, 0, 'k'},
              {0, 0, 0, 0}
          };
-@@ -111,6 +113,9 @@ int main(int argc, char **argv)
+@@ -110,6 +112,9 @@ int main(int argc, char **argv)
              case 'r':
                  repository = g_strdup(argv[optind - 1]);
                  break;
@@ -150,7 +150,7 @@ index 4d3f925a1b..62042bdd93 100644
              case 'k':
                  keyfile = g_strdup(argv[optind - 1]);
                  break;
-@@ -161,8 +166,16 @@ int main(int argc, char **argv)
+@@ -160,8 +165,16 @@ int main(int argc, char **argv)
          fprintf(stderr, "connecting to repository '%s'\n", repository);
      }
      char *pbs_error = NULL;
@@ -170,7 +170,7 @@ index 4d3f925a1b..62042bdd93 100644
          fprintf(stderr, "restore failed: %s\n", pbs_error);
          return -1;
 diff --git a/pve-backup.c b/pve-backup.c
-index 9f6c04a512..f6a5f8c785 100644
+index 41e8effa01..1c25ae98bd 100644
 --- a/pve-backup.c
 +++ b/pve-backup.c
 @@ -10,6 +10,8 @@
@@ -182,7 +182,7 @@ index 9f6c04a512..f6a5f8c785 100644
  /* PVE backup state and related function */
  
  /*
-@@ -535,6 +537,7 @@ UuidInfo coroutine_fn *qmp_backup(
+@@ -531,6 +533,7 @@ UuidInfo coroutine_fn *qmp_backup(
      bool has_key_password, const char *key_password,
      bool has_master_keyfile, const char *master_keyfile,
      bool has_fingerprint, const char *fingerprint,
@@ -190,7 +190,7 @@ index 9f6c04a512..f6a5f8c785 100644
      bool has_backup_id, const char *backup_id,
      bool has_backup_time, int64_t backup_time,
      bool has_use_dirty_bitmap, bool use_dirty_bitmap,
-@@ -674,8 +677,9 @@ UuidInfo coroutine_fn *qmp_backup(
+@@ -670,8 +673,9 @@ UuidInfo coroutine_fn *qmp_backup(
          firewall_name = "fw.conf";
  
          char *pbs_err = NULL;
@@ -202,10 +202,10 @@ index 9f6c04a512..f6a5f8c785 100644
              backup_time,
              dump_cb_block_size,
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index d089328a1f..705f0c97ba 100644
+index d8c7331090..889726fc26 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -821,6 +821,8 @@
+@@ -817,6 +817,8 @@
  #
  # @fingerprint: server cert fingerprint (optional for format 'pbs')
  #
@@ -214,7 +214,7 @@ index d089328a1f..705f0c97ba 100644
  # @backup-id: backup ID (required for format 'pbs')
  #
  # @backup-time: backup timestamp (Unix epoch, required for format 'pbs')
-@@ -840,6 +842,7 @@
+@@ -836,6 +838,7 @@
                                      '*key-password': 'str',
                                      '*master-keyfile': 'str',
                                      '*fingerprint': 'str',
@@ -222,7 +222,7 @@ index d089328a1f..705f0c97ba 100644
                                      '*backup-id': 'str',
                                      '*backup-time': 'int',
                                      '*use-dirty-bitmap': 'bool',
-@@ -3236,7 +3239,7 @@
+@@ -3290,7 +3293,7 @@
  { 'struct': 'BlockdevOptionsPbs',
    'data': { 'repository': 'str', 'snapshot': 'str', 'archive': 'str',
              '*keyfile': 'str', '*password': 'str', '*fingerprint': 'str',

debian/patches/pve/0053-Revert-block-rbd-workaround-for-ceph-issue-53784.patch

@@ -0,0 +1,80 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fabian Ebner <f.ebner@proxmox.com>
+Date: Thu, 23 Jun 2022 14:00:05 +0200
+Subject: [PATCH] Revert "block/rbd: workaround for ceph issue #53784"
+
+This reverts commit fc176116cdea816ceb8dd969080b2b95f58edbc0 in
+preparation to revert 0347a8fd4c3faaedf119be04c197804be40a384b.
+
+Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
+---
+ block/rbd.c | 42 ++----------------------------------------
+ 1 file changed, 2 insertions(+), 40 deletions(-)
+
+diff --git a/block/rbd.c b/block/rbd.c
+index 64a8d7d48b..9fc6dcb957 100644
+--- a/block/rbd.c
++++ b/block/rbd.c
+@@ -1348,7 +1348,6 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs,
+     int status, r;
+     RBDDiffIterateReq req = { .offs = offset };
+     uint64_t features, flags;
+-    uint64_t head = 0;
+ 
+     assert(offset + bytes <= s->image_size);
+ 
+@@ -1376,43 +1375,7 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs,
+         return status;
+     }
+ 
+-#if LIBRBD_VERSION_CODE < LIBRBD_VERSION(1, 17, 0)
+-    /*
+-     * librbd had a bug until early 2022 that affected all versions of ceph that
+-     * supported fast-diff. This bug results in reporting of incorrect offsets
+-     * if the offset parameter to rbd_diff_iterate2 is not object aligned.
+-     * Work around this bug by rounding down the offset to object boundaries.
+-     * This is OK because we call rbd_diff_iterate2 with whole_object = true.
+-     * However, this workaround only works for non cloned images with default
+-     * striping.
+-     *
+-     * See: https://tracker.ceph.com/issues/53784
+-     */
+-
+-    /* check if RBD image has non-default striping enabled */
+-    if (features & RBD_FEATURE_STRIPINGV2) {
+-        return status;
+-    }
+-
+-#pragma GCC diagnostic push
+-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+-    /*
+-     * check if RBD image is a clone (= has a parent).
+-     *
+-     * rbd_get_parent_info is deprecated from Nautilus onwards, but the
+-     * replacement rbd_get_parent is not present in Luminous and Mimic.
+-     */
+-    if (rbd_get_parent_info(s->image, NULL, 0, NULL, 0, NULL, 0) != -ENOENT) {
+-        return status;
+-    }
+-#pragma GCC diagnostic pop
+-
+-    head = req.offs & (s->object_size - 1);
+-    req.offs -= head;
+-    bytes += head;
+-#endif
+-
+-    r = rbd_diff_iterate2(s->image, NULL, req.offs, bytes, true, true,
++    r = rbd_diff_iterate2(s->image, NULL, offset, bytes, true, true,
+                           qemu_rbd_diff_iterate_cb, &req);
+     if (r < 0 && r != QEMU_RBD_EXIT_DIFF_ITERATE2) {
+         return status;
+@@ -1431,8 +1394,7 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs,
+         status = BDRV_BLOCK_ZERO | BDRV_BLOCK_OFFSET_VALID;
+     }
+ 
+-    assert(req.bytes > head);
+-    *pnum = req.bytes - head;
++    *pnum = req.bytes;
+     return status;
+ }
+